Alerts This Week
Warning Icon 1 923
Alerts This Week
Warning Icon 1 923

RedHat OpenShift Service Mesh 1.1.2 Important: Servicemesh-Proxy DoS Threat

red hat
Calendar Grey June 11, 2020
Dist Redhat Esm H88
The security bulletin issued by Red Hat for OpenShift Service Mesh version 1.1.2 highlights a critical Denial of Service vulnerability present in servicemesh-proxy.
An update for servicemesh-proxy is now available for OpenShift Service Mesh 1.1

Solution

The OpenShift Service Mesh release notes provide information on the features and known issues:


Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
Security Fix(es):
* nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory important dos openshift nghttp2 service mesh servicemesh

References

https://access.redhat.com/security/cve/CVE-2020-11080 https://access.redhat.com/security/updates/classification/#important

Package List

OpenShift Service Mesh 1.1:
Source: servicemesh-proxy-1.1.2-3.el8.src.rpm
x86_64: servicemesh-proxy-1.1.2-3.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2020:2523-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2523
Issue date: 2020-06-11

Topic

An update for servicemesh-proxy is now available for OpenShift Service Mesh1.1.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory important dos openshift nghttp2 service mesh servicemesh

Relevant Releases Architectures

OpenShift Service Mesh 1.1 - x86_64

Bugs Fixed

1844929 - CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here