(RHSA-2021:1538) Important: Red Hat OpenShift Service Mesh 2.0.4 security update

2021-05-1123:06:43

access.redhat.com

red hat openshift service mesh

istio service mesh

security update

cve-2021-29492

cve-2021-31920

authorization bypass

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

EPSS

0.004

Percentile

73.9%

JSON

Red Hat OpenShift Service Mesh is Red Hat’s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

Security Fix(es):

envoyproxy/envoy: HTTP request with escaped slash characters can bypass Envoy’s authorization mechanisms (CVE-2021-29492)
istio/istio: HTTP request with escaped slash characters can bypass authorization mechanisms (CVE-2021-31920)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

OSVersionArchitecturePackageVersionFilename
RedHat8ppc64leservicemesh-proxy< 2.0.4-1.el8servicemesh-proxy-2.0.4-1.el8.ppc64le.rpm
RedHat8s390xservicemesh-operator< 2.0.4-3.el8servicemesh-operator-2.0.4-3.el8.s390x.rpm
RedHat8s390xservicemesh-mixs< 2.0.4-1.el8servicemesh-mixs-2.0.4-1.el8.s390x.rpm
RedHat8s390xservicemesh-proxy< 2.0.4-1.el8servicemesh-proxy-2.0.4-1.el8.s390x.rpm
RedHat8ppc64leservicemesh-pilot-agent< 2.0.4-1.el8servicemesh-pilot-agent-2.0.4-1.el8.ppc64le.rpm
RedHat8s390xservicemesh-mixc< 2.0.4-1.el8servicemesh-mixc-2.0.4-1.el8.s390x.rpm
RedHat8ppc64leservicemesh-mixs< 2.0.4-1.el8servicemesh-mixs-2.0.4-1.el8.ppc64le.rpm
RedHat8s390xservicemesh-pilot-discovery< 2.0.4-1.el8servicemesh-pilot-discovery-2.0.4-1.el8.s390x.rpm
RedHat8x86_64servicemesh-operator< 2.0.4-3.el8servicemesh-operator-2.0.4-3.el8.x86_64.rpm
RedHat8ppc64leservicemesh-mixc< 2.0.4-1.el8servicemesh-mixc-2.0.4-1.el8.ppc64le.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	8	ppc64le	servicemesh-proxy	< 2.0.4-1.el8	servicemesh-proxy-2.0.4-1.el8.ppc64le.rpm
RedHat	8	s390x	servicemesh-operator	< 2.0.4-3.el8	servicemesh-operator-2.0.4-3.el8.s390x.rpm
RedHat	8	s390x	servicemesh-mixs	< 2.0.4-1.el8	servicemesh-mixs-2.0.4-1.el8.s390x.rpm
RedHat	8	s390x	servicemesh-proxy	< 2.0.4-1.el8	servicemesh-proxy-2.0.4-1.el8.s390x.rpm
RedHat	8	ppc64le	servicemesh-pilot-agent	< 2.0.4-1.el8	servicemesh-pilot-agent-2.0.4-1.el8.ppc64le.rpm
RedHat	8	s390x	servicemesh-mixc	< 2.0.4-1.el8	servicemesh-mixc-2.0.4-1.el8.s390x.rpm
RedHat	8	ppc64le	servicemesh-mixs	< 2.0.4-1.el8	servicemesh-mixs-2.0.4-1.el8.ppc64le.rpm
RedHat	8	s390x	servicemesh-pilot-discovery	< 2.0.4-1.el8	servicemesh-pilot-discovery-2.0.4-1.el8.s390x.rpm
RedHat	8	x86_64	servicemesh-operator	< 2.0.4-3.el8	servicemesh-operator-2.0.4-3.el8.x86_64.rpm
RedHat	8	ppc64le	servicemesh-mixc	< 2.0.4-1.el8	servicemesh-mixc-2.0.4-1.el8.ppc64le.rpm