-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.0.9 security update
Advisory ID:       RHSA-2022:1276-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1276
Issue date:        2022-04-07
CVE Names:         CVE-2020-28851 CVE-2020-28852 CVE-2021-3121 
                   CVE-2021-3749 CVE-2021-29482 CVE-2021-29923 
                   CVE-2021-36221 CVE-2021-43565 CVE-2021-43824 
                   CVE-2021-43825 CVE-2021-43826 CVE-2022-21654 
                   CVE-2022-21655 CVE-2022-23606 CVE-2022-23635 
                   CVE-2022-24726 
====================================================================
1. Summary:

Red Hat OpenShift Service Mesh 2.0.9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

2.0 - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)

* envoy: Incorrect configuration handling allows mTLS session re-use
without re-validation (CVE-2022-21654)

* envoy: Incorrect handling of internal redirects to routes with a direct
response entry (CVE-2022-21655)

* istio: Unauthenticated control plane denial of service attack due to
stack exhaustion (CVE-2022-24726)

* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing
- -u- extension (CVE-2020-28851)

* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing
bcp47 tag (CVE-2020-28852)

* nodejs-axios: Regular expression denial of service in trim function
(CVE-2021-3749)

* ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
(CVE-2021-29482)

* golang: net: incorrect parsing of extraneous zero characters at the
beginning of an IP address octet (CVE-2021-29923)

* golang: net/http/httputil: panic due to racy read of persistConn after
handler panic (CVE-2021-36221)

* golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)

* envoy: Null pointer dereference when using JWT filter safe_regex match
(CVE-2021-43824)

* envoy: Use-after-free when response filters increase response data
(CVE-2021-43825)

* envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826)

* envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery
Service (CVE-2022-23606)

* istio: unauthenticated control plane denial of service attack
(CVE-2022-23635)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

The OpenShift Service Mesh release notes provide information on the
features and known issues:

https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2050744 - CVE-2021-43824 envoy: Null pointer dereference when using JWT filter safe_regex match
2050746 - CVE-2021-43825 envoy: Use-after-free when response filters increase response data
2050748 - CVE-2021-43826 envoy: Use-after-free when tunneling TCP over HTTP
2050753 - CVE-2022-21654 envoy: Incorrect configuration handling allows mTLS session re-use without re-validation
2050757 - CVE-2022-21655 envoy: Incorrect handling of internal redirects to routes with a direct response entry
2050758 - CVE-2022-23606 envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service
2057277 - CVE-2022-23635 istio: unauthenticated control plane denial of service attack
2061638 - CVE-2022-24726 istio: Unauthenticated control plane denial of service attack due to stack exhaustion

6. Package List:

2.0:

Source:
kiali-v1.24.7.redhat1-1.el8.src.rpm
servicemesh-2.0.9-3.el8.src.rpm
servicemesh-cni-2.0.9-3.el8.src.rpm
servicemesh-operator-2.0.9-3.el8.src.rpm
servicemesh-prometheus-2.14.0-16.el8.1.src.rpm
servicemesh-proxy-2.0.9-3.el8.src.rpm

ppc64le:
kiali-v1.24.7.redhat1-1.el8.ppc64le.rpm
servicemesh-2.0.9-3.el8.ppc64le.rpm
servicemesh-cni-2.0.9-3.el8.ppc64le.rpm
servicemesh-istioctl-2.0.9-3.el8.ppc64le.rpm
servicemesh-mixc-2.0.9-3.el8.ppc64le.rpm
servicemesh-mixs-2.0.9-3.el8.ppc64le.rpm
servicemesh-operator-2.0.9-3.el8.ppc64le.rpm
servicemesh-pilot-agent-2.0.9-3.el8.ppc64le.rpm
servicemesh-pilot-discovery-2.0.9-3.el8.ppc64le.rpm
servicemesh-prometheus-2.14.0-16.el8.1.ppc64le.rpm
servicemesh-proxy-2.0.9-3.el8.ppc64le.rpm

s390x:
kiali-v1.24.7.redhat1-1.el8.s390x.rpm
servicemesh-2.0.9-3.el8.s390x.rpm
servicemesh-cni-2.0.9-3.el8.s390x.rpm
servicemesh-istioctl-2.0.9-3.el8.s390x.rpm
servicemesh-mixc-2.0.9-3.el8.s390x.rpm
servicemesh-mixs-2.0.9-3.el8.s390x.rpm
servicemesh-operator-2.0.9-3.el8.s390x.rpm
servicemesh-pilot-agent-2.0.9-3.el8.s390x.rpm
servicemesh-pilot-discovery-2.0.9-3.el8.s390x.rpm
servicemesh-prometheus-2.14.0-16.el8.1.s390x.rpm
servicemesh-proxy-2.0.9-3.el8.s390x.rpm

x86_64:
kiali-v1.24.7.redhat1-1.el8.x86_64.rpm
servicemesh-2.0.9-3.el8.x86_64.rpm
servicemesh-cni-2.0.9-3.el8.x86_64.rpm
servicemesh-istioctl-2.0.9-3.el8.x86_64.rpm
servicemesh-mixc-2.0.9-3.el8.x86_64.rpm
servicemesh-mixs-2.0.9-3.el8.x86_64.rpm
servicemesh-operator-2.0.9-3.el8.x86_64.rpm
servicemesh-pilot-agent-2.0.9-3.el8.x86_64.rpm
servicemesh-pilot-discovery-2.0.9-3.el8.x86_64.rpm
servicemesh-prometheus-2.14.0-16.el8.1.x86_64.rpm
servicemesh-proxy-2.0.9-3.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-28851
https://access.redhat.com/security/cve/CVE-2020-28852
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3749
https://access.redhat.com/security/cve/CVE-2021-29482
https://access.redhat.com/security/cve/CVE-2021-29923
https://access.redhat.com/security/cve/CVE-2021-36221
https://access.redhat.com/security/cve/CVE-2021-43565
https://access.redhat.com/security/cve/CVE-2021-43824
https://access.redhat.com/security/cve/CVE-2021-43825
https://access.redhat.com/security/cve/CVE-2021-43826
https://access.redhat.com/security/cve/CVE-2022-21654
https://access.redhat.com/security/cve/CVE-2022-21655
https://access.redhat.com/security/cve/CVE-2022-23606
https://access.redhat.com/security/cve/CVE-2022-23635
https://access.redhat.com/security/cve/CVE-2022-24726
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYk9i6NzjgjWX9erEAQjAEhAAmnMX+Vmxv+BfSR/1KoiT5lCYoO0yCwR3
L2bDIAzohd4RaxbTxTRGGg0ibXB22Helse0hfroV/ZVQDhEcVg07QDwB7bdHknz6
hD1YtqBPLY93Vt2bvUq3XQNpv/hcxK9zngW0j4IeB4kRb0TbIz41yb+0SAKHmHqG
KkcyqHeUvh/N02Rp4Ylk+B+Rcjfwwu3KJToUl+YwoajitIiu7np7qkftQ5s+uO2u
nuxXdSm67L/WiaCq+LBLJpxk7zmZVtq3kTkqiokHFlSpS9NJCMDWvhpbXG1owkiV
du9kUoZYa1hAIonX/URZ7HtOgwBOfaa9Jo0vwLp1GkCZEN389mo7+SkM1A/WGsdN
rPwS2pe6HNNqSORHM9aoygraBTZeYyzSTCnVIRIggDbCb8DfG+WdITIEM/Jk9UFS
+WSSDbJ9oVNPZtXqImtqxT+0FKHdk9My0UWWpJci3XeV6zL7+1ApcPTib7Y0sbRi
XBxeV7THZdyiNHk49xE6i96z5QJFkRL/VCgBx3CaiHVqOAv27cR3O6MrP904utyh
f3zUPSYIezvUgq65D13XZTruitBd4wMDTPpCqpsBM5JzLoyObKoU/KIr7oasJkbM
5gKHsNsszEfYgaqFmkao55xHHrZLt7x+WaF6dAttUAbl6AalJmEY3C9UcHYIZlGa
8V4YhC5zIXU=/fvC
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-1276:01 Important: Red Hat OpenShift Service Mesh 2.0.9

Red Hat OpenShift Service Mesh 2.0.9

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
* envoy: Incorrect configuration handling allows mTLS session re-use without re-validation (CVE-2022-21654)
* envoy: Incorrect handling of internal redirects to routes with a direct response entry (CVE-2022-21655)
* istio: Unauthenticated control plane denial of service attack due to stack exhaustion (CVE-2022-24726)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension (CVE-2020-28851)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)
* nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)
* ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482)
* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
* golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)
* golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)
* envoy: Null pointer dereference when using JWT filter safe_regex match (CVE-2021-43824)
* envoy: Use-after-free when response filters increase response data (CVE-2021-43825)
* envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826)
* envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service (CVE-2022-23606)
* istio: unauthenticated control plane denial of service attack (CVE-2022-23635)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

The OpenShift Service Mesh release notes provide information on the features and known issues:
https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html

References

https://access.redhat.com/security/cve/CVE-2020-28851 https://access.redhat.com/security/cve/CVE-2020-28852 https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-3749 https://access.redhat.com/security/cve/CVE-2021-29482 https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-36221 https://access.redhat.com/security/cve/CVE-2021-43565 https://access.redhat.com/security/cve/CVE-2021-43824 https://access.redhat.com/security/cve/CVE-2021-43825 https://access.redhat.com/security/cve/CVE-2021-43826 https://access.redhat.com/security/cve/CVE-2022-21654 https://access.redhat.com/security/cve/CVE-2022-21655 https://access.redhat.com/security/cve/CVE-2022-23606 https://access.redhat.com/security/cve/CVE-2022-23635 https://access.redhat.com/security/cve/CVE-2022-24726 https://access.redhat.com/security/updates/classification/#important

Package List

2.0:
Source: kiali-v1.24.7.redhat1-1.el8.src.rpm servicemesh-2.0.9-3.el8.src.rpm servicemesh-cni-2.0.9-3.el8.src.rpm servicemesh-operator-2.0.9-3.el8.src.rpm servicemesh-prometheus-2.14.0-16.el8.1.src.rpm servicemesh-proxy-2.0.9-3.el8.src.rpm
ppc64le: kiali-v1.24.7.redhat1-1.el8.ppc64le.rpm servicemesh-2.0.9-3.el8.ppc64le.rpm servicemesh-cni-2.0.9-3.el8.ppc64le.rpm servicemesh-istioctl-2.0.9-3.el8.ppc64le.rpm servicemesh-mixc-2.0.9-3.el8.ppc64le.rpm servicemesh-mixs-2.0.9-3.el8.ppc64le.rpm servicemesh-operator-2.0.9-3.el8.ppc64le.rpm servicemesh-pilot-agent-2.0.9-3.el8.ppc64le.rpm servicemesh-pilot-discovery-2.0.9-3.el8.ppc64le.rpm servicemesh-prometheus-2.14.0-16.el8.1.ppc64le.rpm servicemesh-proxy-2.0.9-3.el8.ppc64le.rpm
s390x: kiali-v1.24.7.redhat1-1.el8.s390x.rpm servicemesh-2.0.9-3.el8.s390x.rpm servicemesh-cni-2.0.9-3.el8.s390x.rpm servicemesh-istioctl-2.0.9-3.el8.s390x.rpm servicemesh-mixc-2.0.9-3.el8.s390x.rpm servicemesh-mixs-2.0.9-3.el8.s390x.rpm servicemesh-operator-2.0.9-3.el8.s390x.rpm servicemesh-pilot-agent-2.0.9-3.el8.s390x.rpm servicemesh-pilot-discovery-2.0.9-3.el8.s390x.rpm servicemesh-prometheus-2.14.0-16.el8.1.s390x.rpm servicemesh-proxy-2.0.9-3.el8.s390x.rpm
x86_64: kiali-v1.24.7.redhat1-1.el8.x86_64.rpm servicemesh-2.0.9-3.el8.x86_64.rpm servicemesh-cni-2.0.9-3.el8.x86_64.rpm servicemesh-istioctl-2.0.9-3.el8.x86_64.rpm servicemesh-mixc-2.0.9-3.el8.x86_64.rpm servicemesh-mixs-2.0.9-3.el8.x86_64.rpm servicemesh-operator-2.0.9-3.el8.x86_64.rpm servicemesh-pilot-agent-2.0.9-3.el8.x86_64.rpm servicemesh-pilot-discovery-2.0.9-3.el8.x86_64.rpm servicemesh-prometheus-2.14.0-16.el8.1.x86_64.rpm servicemesh-proxy-2.0.9-3.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2022:1276-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1276
Issued Date: : 2022-04-07
CVE Names: CVE-2020-28851 CVE-2020-28852 CVE-2021-3121 CVE-2021-3749 CVE-2021-29482 CVE-2021-29923 CVE-2021-36221 CVE-2021-43565 CVE-2021-43824 CVE-2021-43825 CVE-2021-43826 CVE-2022-21654 CVE-2022-21655 CVE-2022-23606 CVE-2022-23635 CVE-2022-24726

Topic

Red Hat OpenShift Service Mesh 2.0.9.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

2.0 - ppc64le, s390x, x86_64


Bugs Fixed

1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension

1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag

1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation

1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service

1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet

1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic

1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function

2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic

2050744 - CVE-2021-43824 envoy: Null pointer dereference when using JWT filter safe_regex match

2050746 - CVE-2021-43825 envoy: Use-after-free when response filters increase response data

2050748 - CVE-2021-43826 envoy: Use-after-free when tunneling TCP over HTTP

2050753 - CVE-2022-21654 envoy: Incorrect configuration handling allows mTLS session re-use without re-validation

2050757 - CVE-2022-21655 envoy: Incorrect handling of internal redirects to routes with a direct response entry

2050758 - CVE-2022-23606 envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service

2057277 - CVE-2022-23635 istio: unauthenticated control plane denial of service attack

2061638 - CVE-2022-24726 istio: Unauthenticated control plane denial of service attack due to stack exhaustion


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved