RedHat: RHSA-2019-4222:01 Critical: Red Hat OpenShift Service Mesh 1.0.3

    Date11 Dec 2019
    424
    Posted ByLinuxSecurity Advisories
    Red Hat OpenShift Service Mesh 1.0.3. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Critical: Red Hat OpenShift Service Mesh 1.0.3 RPMs security update
    Advisory ID:       RHSA-2019:4222-01
    Product:           Red Hat OpenShift Service Mesh
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:4222
    Issue date:        2019-12-11
    CVE Names:         CVE-2019-18801 CVE-2019-18802 CVE-2019-18838 
    =====================================================================
    
    1. Summary:
    
    Red Hat OpenShift Service Mesh 1.0.3.
    
    Red Hat Product Security has rated this update as having a security impact
    of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    OpenShift Service Mesh 1.0 - x86_64
    Red Hat OpenShift Service Mesh 1.0 - x86_64
    
    3. Description:
    
    Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
    service mesh project, tailored for installation into an on-premise
    OpenShift Container Platform installation.
    
    This advisory covers the RPM packages for the OpenShift Service Mesh 1.0.3
    release.
    
    Security Fix(es):
    
    * An untrusted remote client may send HTTP/2 requests that write to the
    heap outside of the request buffers when the upstream is HTTP/1
    (CVE-2019-18801)
    
    * Malformed request header may cause bypass of route matchers resulting in
    escalation of privileges or information disclosure (CVE-2019-18802)
    
    * Malformed HTTP request without the Host header may cause abnormal
    termination of the Envoy process (CVE-2019-18838)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    4. Solution:
    
    The OpenShift Service Mesh release notes provide information on the
    features and known issues:
    
    https://docs.openshift.com/container-platform/4.2/service_mesh/servicemesh-
    release-notes.html
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1773444 - CVE-2019-18801 envoy: an untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1
    1773447 - CVE-2019-18802 envoy: malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure
    1773449 - CVE-2019-18838 envoy: malformed HTTP request without the Host header may cause abnormal termination of the Envoy process
    
    6. Package List:
    
    Red Hat OpenShift Service Mesh 1.0:
    
    Source:
    kiali-v1.0.8.redhat1-1.el7.src.rpm
    
    x86_64:
    kiali-v1.0.8.redhat1-1.el7.x86_64.rpm
    
    OpenShift Service Mesh 1.0:
    
    Source:
    servicemesh-1.0.3-1.el8.src.rpm
    servicemesh-cni-1.0.3-1.el8.src.rpm
    servicemesh-grafana-6.2.2-25.el8.src.rpm
    servicemesh-operator-1.0.3-1.el8.src.rpm
    servicemesh-prometheus-2.7.2-26.el8.src.rpm
    servicemesh-proxy-1.0.3-1.el8.src.rpm
    
    x86_64:
    servicemesh-1.0.3-1.el8.x86_64.rpm
    servicemesh-citadel-1.0.3-1.el8.x86_64.rpm
    servicemesh-cni-1.0.3-1.el8.x86_64.rpm
    servicemesh-galley-1.0.3-1.el8.x86_64.rpm
    servicemesh-grafana-6.2.2-25.el8.x86_64.rpm
    servicemesh-grafana-prometheus-6.2.2-25.el8.x86_64.rpm
    servicemesh-istioctl-1.0.3-1.el8.x86_64.rpm
    servicemesh-mixc-1.0.3-1.el8.x86_64.rpm
    servicemesh-mixs-1.0.3-1.el8.x86_64.rpm
    servicemesh-operator-1.0.3-1.el8.x86_64.rpm
    servicemesh-pilot-agent-1.0.3-1.el8.x86_64.rpm
    servicemesh-pilot-discovery-1.0.3-1.el8.x86_64.rpm
    servicemesh-prometheus-2.7.2-26.el8.x86_64.rpm
    servicemesh-proxy-1.0.3-1.el8.x86_64.rpm
    servicemesh-sidecar-injector-1.0.3-1.el8.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2019-18801
    https://access.redhat.com/security/cve/CVE-2019-18802
    https://access.redhat.com/security/cve/CVE-2019-18838
    https://access.redhat.com/security/updates/classification/#critical
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXfFfotzjgjWX9erEAQivZA/+Jhhsr9G9X/W+5IXLe1iUzXvE61kJDYAg
    XoruYZ3hIGVf3h5hRqHOSzmb5oaAGRwyyjvikbUPXP7FqbTKfLD3Ly7eZExhpT2X
    GEMLVbeZKIppchI7rpKgswIcy9ukph5HBuxC2Z3TGMJm1wPKzUmhlDhvivlfNuy/
    AnsxGrDLdRRwBtXsIsWhg1pcXqMJ/k/wpjwV2RRfm45cE9+ua1ZBLfT+DlUhXmVR
    hsFJboy1Ltge8Ag4J+Sl/EhNSC+6IAF0djpXpPj3QZxg2CRg0sscci9MfqZMCBIF
    b/bvRr6ZaIvrCvyr8dfyHAViv1kaz3y9Y7oyBeI33tXWHwMm18WN1fGSldMD6Gu6
    vvD2YscwroqvhHjNYdsUEp3HGIAD0Gzo8S5MJS4gcLVpjl7wJ3V2jeH3sFgFmSez
    DhRrc3/ytWtMHcVTR3PB4lHoeV9BYPxv68d57/Z74ihZanG/UAHclCYx1xHLNYQ7
    O96yQz9sC/zCJnHiuP1SsOc0TUvDtAdNg7hAMS8iN8QOTfA925adyyV0aRMczIAD
    zyTZXmBnbQ0zusrCcfUReGOzedmWM7VG2R24Wy3TSxXUJJZBRjC4mLaZtDIiRAYl
    s8LOWEpJMFZaTzHQBYAYxxH7iaBQG3FDogC6f4GzM6VQE7xM7/Hw65TtpnL2rOUe
    xmyOjC5UusE=
    =fYm1
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"49","type":"x","order":"1","pct":89.09,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"4","type":"x","order":"2","pct":7.27,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"2","type":"x","order":"3","pct":3.64,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.