RedHat: RHSA-2022-5003:01 Important: Red Hat OpenShift Service Mesh...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.0.10 security update
Advisory ID:       RHSA-2022:5003-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5003
Issue date:        2022-06-13
CVE Names:         CVE-2022-29224 CVE-2022-29225 
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Service Mesh 2.0.10.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

2.0 - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* envoy: Decompressors can be zip bombed (CVE-2022-29225)
* envoy: Segfault in GrpcHealthCheckerImpl (CVE-2022-29224)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

The OpenShift Service Mesh release notes provide information on the
features and known issues:

https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2088737 - CVE-2022-29225 envoy: Decompressors can be zip bombed
2088738 - CVE-2022-29224 envoy: Segfault in GrpcHealthCheckerImpl

6. JIRA issues fixed (https://issues.jboss.org/):

OSSM-1613 - RPM Release for Maistra 2.0.10

7. Package List:

2.0:

Source:
servicemesh-2.0.10-1.el8.src.rpm
servicemesh-cni-2.0.10-1.el8.src.rpm
servicemesh-operator-2.0.10-1.el8.src.rpm
servicemesh-prometheus-2.14.0-17.el8.1.src.rpm
servicemesh-proxy-2.0.10-1.el8.src.rpm

ppc64le:
servicemesh-2.0.10-1.el8.ppc64le.rpm
servicemesh-cni-2.0.10-1.el8.ppc64le.rpm
servicemesh-istioctl-2.0.10-1.el8.ppc64le.rpm
servicemesh-mixc-2.0.10-1.el8.ppc64le.rpm
servicemesh-mixs-2.0.10-1.el8.ppc64le.rpm
servicemesh-operator-2.0.10-1.el8.ppc64le.rpm
servicemesh-pilot-agent-2.0.10-1.el8.ppc64le.rpm
servicemesh-pilot-discovery-2.0.10-1.el8.ppc64le.rpm
servicemesh-prometheus-2.14.0-17.el8.1.ppc64le.rpm
servicemesh-proxy-2.0.10-1.el8.ppc64le.rpm

s390x:
servicemesh-2.0.10-1.el8.s390x.rpm
servicemesh-cni-2.0.10-1.el8.s390x.rpm
servicemesh-istioctl-2.0.10-1.el8.s390x.rpm
servicemesh-mixc-2.0.10-1.el8.s390x.rpm
servicemesh-mixs-2.0.10-1.el8.s390x.rpm
servicemesh-operator-2.0.10-1.el8.s390x.rpm
servicemesh-pilot-agent-2.0.10-1.el8.s390x.rpm
servicemesh-pilot-discovery-2.0.10-1.el8.s390x.rpm
servicemesh-prometheus-2.14.0-17.el8.1.s390x.rpm
servicemesh-proxy-2.0.10-1.el8.s390x.rpm

x86_64:
servicemesh-2.0.10-1.el8.x86_64.rpm
servicemesh-cni-2.0.10-1.el8.x86_64.rpm
servicemesh-istioctl-2.0.10-1.el8.x86_64.rpm
servicemesh-mixc-2.0.10-1.el8.x86_64.rpm
servicemesh-mixs-2.0.10-1.el8.x86_64.rpm
servicemesh-operator-2.0.10-1.el8.x86_64.rpm
servicemesh-pilot-agent-2.0.10-1.el8.x86_64.rpm
servicemesh-pilot-discovery-2.0.10-1.el8.x86_64.rpm
servicemesh-prometheus-2.14.0-17.el8.1.x86_64.rpm
servicemesh-proxy-2.0.10-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2022-29224
https://access.redhat.com/security/cve/CVE-2022-29225
https://access.redhat.com/security/updates/classification/#important

9. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYqd67dzjgjWX9erEAQiKghAAlaOQUdcfJvfVLoenJDY8uqnHLOwbkIi5
0CI3E7DIg+6xCGzg9n6mNdU15+GIGRC567dKCpbTvgyDCBBv8sUOcPDn2KmoI5OQ
VEtBChd49i9qD18VEYbhbuEsNTMr3E4ET9q4BqvqcfEfw1MaUYCaiEZFEgfycq9B
mt6WH5CCMPg3KnXw7RqC1NWLOKa9qGNFTEgbx4Db4tPZIQoSjxaNWFvphR1nT3i+
PKy9CaIBXAcbBdBjrp+89RXfI2Mld8zmeclD/3Du3Dmdh3a383YJvHQcpICIki8M
MXDrudv4xZr9NtsbaRKmpalvBPkfQdNIDbl1gENGgOJWYZKVdOE4c/PxBAsrDyr+
MmGko8FmlzRX4q7WqbqtIn77mujUfguyEtq2wxDZWqOybGgQJhB6FB5o9F+qzBos
IXMOV4Zo2L1cm/cvwW49QMBFlHQAPPLN8RC6Mtts4btxzHikZwNh/VP3w9egXBaT
LZOFH2ZD3KB4pqfWt2XAoIE0MhCr9lAaxCM0ktdYwbahnI7CrgrL/3wytC7mqP/M
/RHfm7lElh4upaIp6IfMesJDIUI0I7+ZSXpra6x2mlnoTc5mEkKAP/68rysc6gEs
x5292wN7am1hFdW2eEUXBQIj5pGdIE/Zq2ibxTOAGqPJn3qFyIBhNxp92qCObvvl
+uQLK2+FSBc=
=yaR1
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-5003:01 Important: Red Hat OpenShift Service Mesh 2.0.10

An update is now available for Red Hat OpenShift Service Mesh 2.0.10

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
* envoy: Decompressors can be zip bombed (CVE-2022-29225) * envoy: Segfault in GrpcHealthCheckerImpl (CVE-2022-29224)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

The OpenShift Service Mesh release notes provide information on thefeatures and known issues:https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html

References

https://access.redhat.com/security/cve/CVE-2022-29224 https://access.redhat.com/security/cve/CVE-2022-29225 https://access.redhat.com/security/updates/classification/#important

Package List

2.0:
Source: servicemesh-2.0.10-1.el8.src.rpm servicemesh-cni-2.0.10-1.el8.src.rpm servicemesh-operator-2.0.10-1.el8.src.rpm servicemesh-prometheus-2.14.0-17.el8.1.src.rpm servicemesh-proxy-2.0.10-1.el8.src.rpm
ppc64le: servicemesh-2.0.10-1.el8.ppc64le.rpm servicemesh-cni-2.0.10-1.el8.ppc64le.rpm servicemesh-istioctl-2.0.10-1.el8.ppc64le.rpm servicemesh-mixc-2.0.10-1.el8.ppc64le.rpm servicemesh-mixs-2.0.10-1.el8.ppc64le.rpm servicemesh-operator-2.0.10-1.el8.ppc64le.rpm servicemesh-pilot-agent-2.0.10-1.el8.ppc64le.rpm servicemesh-pilot-discovery-2.0.10-1.el8.ppc64le.rpm servicemesh-prometheus-2.14.0-17.el8.1.ppc64le.rpm servicemesh-proxy-2.0.10-1.el8.ppc64le.rpm
s390x: servicemesh-2.0.10-1.el8.s390x.rpm servicemesh-cni-2.0.10-1.el8.s390x.rpm servicemesh-istioctl-2.0.10-1.el8.s390x.rpm servicemesh-mixc-2.0.10-1.el8.s390x.rpm servicemesh-mixs-2.0.10-1.el8.s390x.rpm servicemesh-operator-2.0.10-1.el8.s390x.rpm servicemesh-pilot-agent-2.0.10-1.el8.s390x.rpm servicemesh-pilot-discovery-2.0.10-1.el8.s390x.rpm servicemesh-prometheus-2.14.0-17.el8.1.s390x.rpm servicemesh-proxy-2.0.10-1.el8.s390x.rpm
x86_64: servicemesh-2.0.10-1.el8.x86_64.rpm servicemesh-cni-2.0.10-1.el8.x86_64.rpm servicemesh-istioctl-2.0.10-1.el8.x86_64.rpm servicemesh-mixc-2.0.10-1.el8.x86_64.rpm servicemesh-mixs-2.0.10-1.el8.x86_64.rpm servicemesh-operator-2.0.10-1.el8.x86_64.rpm servicemesh-pilot-agent-2.0.10-1.el8.x86_64.rpm servicemesh-pilot-discovery-2.0.10-1.el8.x86_64.rpm servicemesh-prometheus-2.14.0-17.el8.1.x86_64.rpm servicemesh-proxy-2.0.10-1.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity
Advisory ID: RHSA-2022:5003-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5003
Issued Date: : 2022-06-13
CVE Names: CVE-2022-29224 CVE-2022-29225

Topic

An update is now available for Red Hat OpenShift Service Mesh 2.0.10.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

2.0 - ppc64le, s390x, x86_64

Bugs Fixed

2088737 - CVE-2022-29225 envoy: Decompressors can be zip bombed

2088738 - CVE-2022-29224 envoy: Segfault in GrpcHealthCheckerImpl

6. JIRA issues fixed (https://issues.jboss.org/):

OSSM-1613 - RPM Release for Maistra 2.0.10

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.