RedHatRHSA-2022:1276(RHSA-2022:1276) Important: Red Hat OpenShift Service Mesh 2.0.9 security update
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
88.7%
Red Hat OpenShift Service Mesh is Red Hat’s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
-
gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
-
envoy: Incorrect configuration handling allows mTLS session re-use without re-validation (CVE-2022-21654)
-
envoy: Incorrect handling of internal redirects to routes with a direct response entry (CVE-2022-21655)
-
istio: Unauthenticated control plane denial of service attack due to stack exhaustion (CVE-2022-24726)
-
golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)
-
golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)
-
nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)
-
ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482)
-
golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
-
golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)
-
golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)
-
envoy: Null pointer dereference when using JWT filter safe_regex match (CVE-2021-43824)
-
envoy: Use-after-free when response filters increase response data (CVE-2021-43825)
-
envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826)
-
envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service (CVE-2022-23606)
-
istio: unauthenticated control plane denial of service attack (CVE-2022-23635)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| RedHat | 8 | s390x | servicemesh-proxy | < 2.0.9-3.el8 | servicemesh-proxy-2.0.9-3.el8.s390x.rpm |
| RedHat | 8 | s390x | servicemesh | < 2.0.9-3.el8 | servicemesh-2.0.9-3.el8.s390x.rpm |
| RedHat | 8 | s390x | servicemesh-operator | < 2.0.9-3.el8 | servicemesh-operator-2.0.9-3.el8.s390x.rpm |
| RedHat | 8 | s390x | servicemesh-prometheus | < 2.14.0-16.el8.1 | servicemesh-prometheus-2.14.0-16.el8.1.s390x.rpm |
| RedHat | 8 | s390x | servicemesh-mixs | < 2.0.9-3.el8 | servicemesh-mixs-2.0.9-3.el8.s390x.rpm |
| RedHat | 8 | ppc64le | kiali | < v1.24.7.redhat1-1.el8 | kiali-v1.24.7.redhat1-1.el8.ppc64le.rpm |
| RedHat | 8 | ppc64le | servicemesh-pilot-agent | < 2.0.9-3.el8 | servicemesh-pilot-agent-2.0.9-3.el8.ppc64le.rpm |
| RedHat | 8 | x86_64 | servicemesh-istioctl | < 2.0.9-3.el8 | servicemesh-istioctl-2.0.9-3.el8.x86_64.rpm |
| RedHat | 8 | x86_64 | servicemesh-pilot-discovery | < 2.0.9-3.el8 | servicemesh-pilot-discovery-2.0.9-3.el8.x86_64.rpm |
| RedHat | 8 | s390x | servicemesh-pilot-agent | < 2.0.9-3.el8 | servicemesh-pilot-agent-2.0.9-3.el8.s390x.rpm |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
88.7%