RedHat: RHSA-2020-2861:01 Important: Red Hat OpenShift Service Mesh 1.0

    Date 07 Jul 2020
    172
    Posted By LinuxSecurity Advisories
    An update for servicemesh-grafana is now available for OpenShift Service Mesh 1.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Important: Red Hat OpenShift Service Mesh 1.0 servicemesh-grafana security update
    Advisory ID:       RHSA-2020:2861-01
    Product:           Red Hat OpenShift Service Mesh
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2861
    Issue date:        2020-07-07
    CVE Names:         CVE-2019-11253 CVE-2020-7660 CVE-2020-7662 
                       CVE-2020-12052 CVE-2020-12245 CVE-2020-13379 
                       CVE-2020-13430 
    =====================================================================
    
    1. Summary:
    
    An update for servicemesh-grafana is now available for OpenShift Service
    Mesh 1.0.
    
    Red Hat Product Security has rated this update as having a security impact
    of Important. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available for each vulnerability
    from the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    OpenShift Service Mesh 1.0 - x86_64
    
    3. Description:
    
    Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
    service mesh project, tailored for installation into an on-premise
    OpenShift Container Platform installation.
    
    Security Fix(es):
    
    * kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing
    for remote denial of service (CVE-2019-11253)
    
    * grafana: SSRF incorrect access control vulnerability allows
    unauthenticated users to make grafana send HTTP requests to any URL
    (CVE-2020-13379)
    
    * npm-serialize-javascript: allows remote attackers to inject arbitrary
    code via the function deleteFunctions within index.js (CVE-2020-7660)
    
    * npmjs-websocket-extensions: ReDoS vulnerability in
    Sec-WebSocket-Extensions parser (CVE-2020-7662)
    
    * grafana: XSS annotation popup vulnerability (CVE-2020-12052)
    
    * grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)
    
    * grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    4. Solution:
    
    The OpenShift Service Mesh release notes provide information on the
    features and
    known issues:
    
    https://docs.openshift.com/container-platform/latest/service_mesh/serviceme
    sh-release-notes.html
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service
    1843640 - CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL
    1844228 - CVE-2020-7660 npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js
    1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
    1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability
    1848108 - CVE-2020-13430 grafana: XSS via the OpenTSDB datasource
    1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip
    
    6. Package List:
    
    OpenShift Service Mesh 1.0:
    
    Source:
    servicemesh-grafana-6.2.2-38.el8.src.rpm
    
    x86_64:
    servicemesh-grafana-6.2.2-38.el8.x86_64.rpm
    servicemesh-grafana-prometheus-6.2.2-38.el8.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2019-11253
    https://access.redhat.com/security/cve/CVE-2020-7660
    https://access.redhat.com/security/cve/CVE-2020-7662
    https://access.redhat.com/security/cve/CVE-2020-12052
    https://access.redhat.com/security/cve/CVE-2020-12245
    https://access.redhat.com/security/cve/CVE-2020-13379
    https://access.redhat.com/security/cve/CVE-2020-13430
    https://access.redhat.com/security/updates/classification/#important
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXwTOzNzjgjWX9erEAQif0g//cijwIyYajqLB21iHkI6HJWV1C7uwNxEF
    8zYiTHREsdB5P5U5DIAmS9quSO3z+uE+BNX0LnDUW/VecqL9sGU1WITZmH3aKrHN
    B+leyudXVF5ZEm6w7CmkRFRamzopo9y1Riluwaiu7OYBFpSRGmk8njp+3J0iisIl
    tPliHPle35KRNnU170G3dZwKSEfvefJ0NK8lXItji+tVV1W7RjCbH1N6tPk+f308
    zKTylTmlU1SVNnBbcoicfHuzE0QpUUNzKFF3QeEUvEuB8B+gL432QijXaoazESkR
    Ky1MRk7EDDJc9opcIvbaNy4NRC9cnOyS2ms3G3uoQMIiPHENmRURrQl0BKAUtuEF
    hwvGawha+SscSygnMpruhpKZVti1RPRhPjR27HPbRGfacrZMeZxabLuRdzZmJ0p1
    gneurtguBsFWj3WODtD/8Hmdpl0dmBSf7OWa6p5hge2vvomRYFjh71bgRBJ5zEFe
    Do9OBQBxE+Gm6sI7zm15HatjF+uHLg2PTS37JtzrKkki3LHxe8SDnCTW0nzAvXoE
    //70S6ruDr5yNX/O/lmmEaq07OZ3NOKADr/qijGscnmQTJl1b0mNG67W1NAM7sPf
    54z34hAZgNZxcaAA3dZzR3vacdvI9Su4k1q4wBVnd7adZ64Qv+p3thrTQYtA5xoR
    TqE9uaAoJ+Q=
    =QhKA
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    Are you planning to use the 1Password password manager now that it is available to Linux users?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/35-are-you-planning-to-use-the-1password-password-manager-now-that-it-is-available-to-linux-users?task=poll.vote&format=json
    35
    radio
    [{"id":"122","title":"Yes","votes":"1","type":"x","order":"1","pct":25,"resources":[]},{"id":"123","title":"No ","votes":"2","type":"x","order":"2","pct":50,"resources":[]},{"id":"124","title":"Not sure at the moment","votes":"1","type":"x","order":"3","pct":25,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.