-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.1.2 security update
Advisory ID:       RHSA-2022:1275-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1275
Issue date:        2022-04-07
CVE Names:         CVE-2021-43824 CVE-2021-43825 CVE-2021-43826 
                   CVE-2022-21654 CVE-2022-21655 CVE-2022-23606 
                   CVE-2022-23635 CVE-2022-24726 
====================================================================
1. Summary:

Red Hat OpenShift Service Mesh 2.1.2

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Service Mesh 2.1 - noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service
mesh project, tailored for installation into an on-premise OpenShift
Container
Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* envoy: Incorrect configuration handling allows mTLS session re-use
without re-validation (CVE-2022-21654)

* envoy: Incorrect handling of internal redirects to routes with a direct
response entry (CVE-2022-21655)

* istio: Unauthenticated control plane denial of service attack due to
stack exhaustion (CVE-2022-24726)

* envoy: Null pointer dereference when using JWT filter safe_regex match
(CVE-2021-43824)

* envoy: Use-after-free when response filters increase response data
(CVE-2021-43825)

* envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826)

* envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery
Service (CVE-2022-23606)

* istio: unauthenticated control plane denial of service attack
(CVE-2022-23635)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

The OpenShift Service Mesh Release Notes provide information on the
features and known issues:

https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2050744 - CVE-2021-43824 envoy: Null pointer dereference when using JWT filter safe_regex match
2050746 - CVE-2021-43825 envoy: Use-after-free when response filters increase response data
2050748 - CVE-2021-43826 envoy: Use-after-free when tunneling TCP over HTTP
2050753 - CVE-2022-21654 envoy: Incorrect configuration handling allows mTLS session re-use without re-validation
2050757 - CVE-2022-21655 envoy: Incorrect handling of internal redirects to routes with a direct response entry
2050758 - CVE-2022-23606 envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service
2057277 - CVE-2022-23635 istio: unauthenticated control plane denial of service attack
2061638 - CVE-2022-24726 istio: Unauthenticated control plane denial of service attack due to stack exhaustion

6. JIRA issues fixed (https://issues.jboss.org/):

OSSM-1074 - Pod annotations defined in SMCP are not injected in the pods
OSSM-1234 - RPM Release for Maistra 2.1.2
OSSM-303 - Control Openshift Route Creation for ingress Gateways

7. Package List:

OpenShift Service Mesh 2.1:

Source:
servicemesh-2.1.2-4.el8.src.rpm
servicemesh-operator-2.1.2-4.el8.src.rpm
servicemesh-prometheus-2.23.0-5.el8.src.rpm
servicemesh-proxy-2.1.2-4.el8.src.rpm
servicemesh-ratelimit-2.1.2-4.el8.src.rpm

noarch:
servicemesh-proxy-wasm-2.1.2-4.el8.noarch.rpm

ppc64le:
servicemesh-2.1.2-4.el8.ppc64le.rpm
servicemesh-cni-2.1.2-4.el8.ppc64le.rpm
servicemesh-operator-2.1.2-4.el8.ppc64le.rpm
servicemesh-pilot-agent-2.1.2-4.el8.ppc64le.rpm
servicemesh-pilot-discovery-2.1.2-4.el8.ppc64le.rpm
servicemesh-prometheus-2.23.0-5.el8.ppc64le.rpm
servicemesh-proxy-2.1.2-4.el8.ppc64le.rpm
servicemesh-proxy-debuginfo-2.1.2-4.el8.ppc64le.rpm
servicemesh-proxy-debugsource-2.1.2-4.el8.ppc64le.rpm
servicemesh-ratelimit-2.1.2-4.el8.ppc64le.rpm

s390x:
servicemesh-2.1.2-4.el8.s390x.rpm
servicemesh-cni-2.1.2-4.el8.s390x.rpm
servicemesh-operator-2.1.2-4.el8.s390x.rpm
servicemesh-pilot-agent-2.1.2-4.el8.s390x.rpm
servicemesh-pilot-discovery-2.1.2-4.el8.s390x.rpm
servicemesh-prometheus-2.23.0-5.el8.s390x.rpm
servicemesh-proxy-2.1.2-4.el8.s390x.rpm
servicemesh-proxy-debuginfo-2.1.2-4.el8.s390x.rpm
servicemesh-proxy-debugsource-2.1.2-4.el8.s390x.rpm
servicemesh-ratelimit-2.1.2-4.el8.s390x.rpm

x86_64:
servicemesh-2.1.2-4.el8.x86_64.rpm
servicemesh-cni-2.1.2-4.el8.x86_64.rpm
servicemesh-operator-2.1.2-4.el8.x86_64.rpm
servicemesh-pilot-agent-2.1.2-4.el8.x86_64.rpm
servicemesh-pilot-discovery-2.1.2-4.el8.x86_64.rpm
servicemesh-prometheus-2.23.0-5.el8.x86_64.rpm
servicemesh-proxy-2.1.2-4.el8.x86_64.rpm
servicemesh-proxy-debuginfo-2.1.2-4.el8.x86_64.rpm
servicemesh-proxy-debugsource-2.1.2-4.el8.x86_64.rpm
servicemesh-ratelimit-2.1.2-4.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2021-43824
https://access.redhat.com/security/cve/CVE-2021-43825
https://access.redhat.com/security/cve/CVE-2021-43826
https://access.redhat.com/security/cve/CVE-2022-21654
https://access.redhat.com/security/cve/CVE-2022-21655
https://access.redhat.com/security/cve/CVE-2022-23606
https://access.redhat.com/security/cve/CVE-2022-23635
https://access.redhat.com/security/cve/CVE-2022-24726
https://access.redhat.com/security/updates/classification/#important

9. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYk9i79zjgjWX9erEAQjuVhAApy3V/Yiv9yk1unHpIrSBmDXYpaLQQ3Pl
vl/hOBmH2JeUdlEaeGkRlxw3/WyXjjEHdcRfKaVRn5fevZfbbxQ0ddOjB1wgouWI
5Ct+HVWtkmfvCfr+LbXeLFwPrm31cvnjU4M2rQQqzjroTWHZHXsYHtYEVGVqoD3V
TNSapRJcap3rkb5Y/SkOGoe0RRiD9+zGglXAuljJEeFE9u1OFnrqShCyhUixh/qm
s/s12ISr2HbiX71zJ470EC8xpZOv/tGNnfo8mb/tqDYTzTzKzNg+g4rcy7864PES
f1FscWQxyZtbOxGVeg0Zq1nGEvadb8Sb0J0jz4lmcEyMJ95LHbuSUn1Ss0wZd6hs
yrbBW4HuQjNh934YDwd95WBWcPdDPdKF4UZ9NYwtQvek0eIDD6ZDIJ8dRUIK7Tyr
5tdyMwIvpSCW4qdqTRnvma7VGZH+ZVS9y8BIAxH0Pg8PiRaiarv+7/aWM8ek42lE
k3LdHFCWs9XCgPhF+iT08m/7bs3sl0y9/kP8EEVWlKbJWY/wFoVEJNAiR42HLBWC
k1W5YLwzdrrykuYRJs5TlwrYGTvOrW80YtpiAtitDtiU0VJlV7WHGXHBT9LFr8Cv
KGun1Upr1qGzsxl1R2x5UUKEvqE16F6DOIxdYaOIWxoraQTtdylohOMHeN+SQWy2
aGv7DRKOjag=u1Qv
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-1275:01 Important: Red Hat OpenShift Service Mesh 2.1.2

Red Hat OpenShift Service Mesh 2.1.2 Red Hat Product Security has rated this update as having a security impact of Important

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
* envoy: Incorrect configuration handling allows mTLS session re-use without re-validation (CVE-2022-21654)
* envoy: Incorrect handling of internal redirects to routes with a direct response entry (CVE-2022-21655)
* istio: Unauthenticated control plane denial of service attack due to stack exhaustion (CVE-2022-24726)
* envoy: Null pointer dereference when using JWT filter safe_regex match (CVE-2021-43824)
* envoy: Use-after-free when response filters increase response data (CVE-2021-43825)
* envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826)
* envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service (CVE-2022-23606)
* istio: unauthenticated control plane denial of service attack (CVE-2022-23635)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

The OpenShift Service Mesh Release Notes provide information on the features and known issues:
https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html

References

https://access.redhat.com/security/cve/CVE-2021-43824 https://access.redhat.com/security/cve/CVE-2021-43825 https://access.redhat.com/security/cve/CVE-2021-43826 https://access.redhat.com/security/cve/CVE-2022-21654 https://access.redhat.com/security/cve/CVE-2022-21655 https://access.redhat.com/security/cve/CVE-2022-23606 https://access.redhat.com/security/cve/CVE-2022-23635 https://access.redhat.com/security/cve/CVE-2022-24726 https://access.redhat.com/security/updates/classification/#important

Package List

OpenShift Service Mesh 2.1:
Source: servicemesh-2.1.2-4.el8.src.rpm servicemesh-operator-2.1.2-4.el8.src.rpm servicemesh-prometheus-2.23.0-5.el8.src.rpm servicemesh-proxy-2.1.2-4.el8.src.rpm servicemesh-ratelimit-2.1.2-4.el8.src.rpm
noarch: servicemesh-proxy-wasm-2.1.2-4.el8.noarch.rpm
ppc64le: servicemesh-2.1.2-4.el8.ppc64le.rpm servicemesh-cni-2.1.2-4.el8.ppc64le.rpm servicemesh-operator-2.1.2-4.el8.ppc64le.rpm servicemesh-pilot-agent-2.1.2-4.el8.ppc64le.rpm servicemesh-pilot-discovery-2.1.2-4.el8.ppc64le.rpm servicemesh-prometheus-2.23.0-5.el8.ppc64le.rpm servicemesh-proxy-2.1.2-4.el8.ppc64le.rpm servicemesh-proxy-debuginfo-2.1.2-4.el8.ppc64le.rpm servicemesh-proxy-debugsource-2.1.2-4.el8.ppc64le.rpm servicemesh-ratelimit-2.1.2-4.el8.ppc64le.rpm
s390x: servicemesh-2.1.2-4.el8.s390x.rpm servicemesh-cni-2.1.2-4.el8.s390x.rpm servicemesh-operator-2.1.2-4.el8.s390x.rpm servicemesh-pilot-agent-2.1.2-4.el8.s390x.rpm servicemesh-pilot-discovery-2.1.2-4.el8.s390x.rpm servicemesh-prometheus-2.23.0-5.el8.s390x.rpm servicemesh-proxy-2.1.2-4.el8.s390x.rpm servicemesh-proxy-debuginfo-2.1.2-4.el8.s390x.rpm servicemesh-proxy-debugsource-2.1.2-4.el8.s390x.rpm servicemesh-ratelimit-2.1.2-4.el8.s390x.rpm
x86_64: servicemesh-2.1.2-4.el8.x86_64.rpm servicemesh-cni-2.1.2-4.el8.x86_64.rpm servicemesh-operator-2.1.2-4.el8.x86_64.rpm servicemesh-pilot-agent-2.1.2-4.el8.x86_64.rpm servicemesh-pilot-discovery-2.1.2-4.el8.x86_64.rpm servicemesh-prometheus-2.23.0-5.el8.x86_64.rpm servicemesh-proxy-2.1.2-4.el8.x86_64.rpm servicemesh-proxy-debuginfo-2.1.2-4.el8.x86_64.rpm servicemesh-proxy-debugsource-2.1.2-4.el8.x86_64.rpm servicemesh-ratelimit-2.1.2-4.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2022:1275-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1275
Issued Date: : 2022-04-07
CVE Names: CVE-2021-43824 CVE-2021-43825 CVE-2021-43826 CVE-2022-21654 CVE-2022-21655 CVE-2022-23606 CVE-2022-23635 CVE-2022-24726

Topic

Red Hat OpenShift Service Mesh 2.1.2Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

OpenShift Service Mesh 2.1 - noarch, ppc64le, s390x, x86_64


Bugs Fixed

2050744 - CVE-2021-43824 envoy: Null pointer dereference when using JWT filter safe_regex match

2050746 - CVE-2021-43825 envoy: Use-after-free when response filters increase response data

2050748 - CVE-2021-43826 envoy: Use-after-free when tunneling TCP over HTTP

2050753 - CVE-2022-21654 envoy: Incorrect configuration handling allows mTLS session re-use without re-validation

2050757 - CVE-2022-21655 envoy: Incorrect handling of internal redirects to routes with a direct response entry

2050758 - CVE-2022-23606 envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service

2057277 - CVE-2022-23635 istio: unauthenticated control plane denial of service attack

2061638 - CVE-2022-24726 istio: Unauthenticated control plane denial of service attack due to stack exhaustion

6. JIRA issues fixed (https://issues.jboss.org/):

OSSM-1074 - Pod annotations defined in SMCP are not injected in the pods

OSSM-1234 - RPM Release for Maistra 2.1.2

OSSM-303 - Control Openshift Route Creation for ingress Gateways


Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved