-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.3.1 Containers security update
Advisory ID:       RHSA-2023:0542-01
Product:           RHOSSM
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0542
Issue date:        2023-01-30
CVE Names:         CVE-2016-3709 CVE-2021-4238 CVE-2021-23648 
                   CVE-2021-46848 CVE-2022-1304 CVE-2022-1705 
                   CVE-2022-1962 CVE-2022-2879 CVE-2022-2880 
                   CVE-2022-3515 CVE-2022-3962 CVE-2022-21673 
                   CVE-2022-21698 CVE-2022-21702 CVE-2022-21703 
                   CVE-2022-21713 CVE-2022-22624 CVE-2022-22628 
                   CVE-2022-22629 CVE-2022-22662 CVE-2022-26700 
                   CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 
                   CVE-2022-26717 CVE-2022-26719 CVE-2022-27664 
                   CVE-2022-28131 CVE-2022-30293 CVE-2022-30630 
                   CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 
                   CVE-2022-30635 CVE-2022-32148 CVE-2022-32189 
                   CVE-2022-35737 CVE-2022-37434 CVE-2022-39278 
                   CVE-2022-41715 CVE-2022-42010 CVE-2022-42011 
                   CVE-2022-42012 CVE-2022-42898 CVE-2022-43680 
====================================================================
1. Summary:

Red Hat OpenShift Service Mesh 2.3.1 Containers
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

This advisory covers container images for the release.

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as
random as they should be (CVE-2021-4238)
* golang: archive/tar: unbounded memory consumption when reading headers(CVE-2022-2879)
* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)
* Istio: Denial of service attack via a specially crafted message
(CVE-2022-39278)
* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)
* kiali: error message spoofing in kiali UI (CVE-2022-3962)
* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, see the CVE page(s)
listed in the Container CVEs section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2148199 - CVE-2022-39278 Istio: Denial of service attack via a specially crafted message
2148661 - CVE-2022-3962 kiali: error message spoofing in kiali UI
2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-1977 - Support for Istio Gateway API in Kiali
OSSM-2083 - Update maistra/istio 2.3 to Istio 1.14.5
OSSM-2147 - Unexpected validation message on Gateway object
OSSM-2169 - Member controller doesn't retry on conflict
OSSM-2170 - Member namespaces aren't cleaned up when a cluster-scoped SMMR is deleted
OSSM-2179 - Wasm plugins only support OCI images with 1 layer
OSSM-2184 - Istiod isn't allowed to delete analysis distribution report configmap
OSSM-2188 - Member namespaces not cleaned up when SMCP is deleted
OSSM-2189 - If multiple SMCPs exist in a namespace, the controller reconciles them all
OSSM-2190 - The memberroll controller reconciles SMMRs with invalid name
OSSM-2232 - The member controller reconciles ServiceMeshMember with invalid name
OSSM-2241 - Remove v2.0 from Create ServiceMeshControlPlane Form
OSSM-2251 - CVE-2022-3962 openshift-istio-kiali-container: kiali: content spoofing [ossm-2.3]
OSSM-2308 - add root CA certificates to kiali container
OSSM-2315 - be able to customize openshift auth timeouts
OSSM-2324 - Gateway injection does not work when pods are created by cluster admins
OSSM-2335 - Potential hang using Traces scatterplot chart
OSSM-2338 - Federation deployment does not need router mode sni-dnat
OSSM-2344 - Restarting istiod causes Kiali to flood CRI-O with port-forward requests
OSSM-2375 - Istiod should log member namespaces on every update
OSSM-2376 - ServiceMesh federation stops working after the restart of istiod pod
OSSM-535 - Support validationMessages in SMCP
OSSM-827 - ServiceMeshMembers point to wrong SMCP name

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2021-4238
https://access.redhat.com/security/cve/CVE-2021-23648
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-3962
https://access.redhat.com/security/cve/CVE-2022-21673
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-21702
https://access.redhat.com/security/cve/CVE-2022-21703
https://access.redhat.com/security/cve/CVE-2022-21713
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-39278
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-43680
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY9hF9dzjgjWX9erEAQgVqw//Stg1D6CmXORVB3KQRPVBqBAg2v2xsFJQ
gSdTiXyeXj0jkfR3BfNMmoSrtq+LdNKGdOQQoMc3Ax/0VX4zv31YBPT9y/ZvrqdU
+tOYlfFIkga6t6N6I07FrRsYl7Jhpg7necRKtyXgNSEfvcNjsQI/1JWbLyaXS9X6
CGVjHTPh02lGOmGhD6j4zg2nwgfmZBC57ttoJBDoWBbu/rSkj1y1tJxbX1A3cc8I
O+47o72xK9lOBXV4oaUkFcYEM4xsgaYaUs/i+W3YroO09uZTekhaQYGqdNl85Hr7
CIFYM9UVi+GPF1C/+nmk9WPgR+v+lxMF83aX2qKp51eb3InpgMx12NAbg5K7xY9f
qUTkOy4QIwfw6q4fIzvouJvv3Pc4wP9d/2DaZVCP8fWuxgeY5MBr7olI9HwvigOw
agZR1fxHac3ykLaxVLhMAS0kjnceyl0LCx8XhzDi/6oXp/jRVslu50wEiJY6W6Nt
Sn5okd1czmSX0TuMVymPz2fNeFuokQwm3hv3UbI3f8p5V0V6aym8uOAk1BDCD8Fa
Yob/i6+vjSt5WQ4VtsIikagyUp3zF0tY+Mm2aiSm53jO7N1hTWJTL7FwqbM9jZRG
imkQY29Hmq1x2QY7ugOncqO/A/mg+o+OyF8pCnbOhn/28lO59PHJSeUyKWhUmIVe
XTXcI0pFjvY=6NS9
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-0542:01 Important: Red Hat OpenShift Service Mesh 2.3.1

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important

Summary

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers container images for the release.
Security Fix(es):
* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238) * golang: archive/tar: unbounded memory consumption when reading headers(CVE-2022-2879) * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * Istio: Denial of service attack via a specially crafted message (CVE-2022-39278) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) * kiali: error message spoofing in kiali UI (CVE-2022-3962) * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, see the CVE page(s) listed in the Container CVEs section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2016-3709 https://access.redhat.com/security/cve/CVE-2021-4238 https://access.redhat.com/security/cve/CVE-2021-23648 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-3962 https://access.redhat.com/security/cve/CVE-2022-21673 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-21702 https://access.redhat.com/security/cve/CVE-2022-21703 https://access.redhat.com/security/cve/CVE-2022-21713 https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 https://access.redhat.com/security/cve/CVE-2022-26716 https://access.redhat.com/security/cve/CVE-2022-26717 https://access.redhat.com/security/cve/CVE-2022-26719 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-30293 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-39278 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-42010 https://access.redhat.com/security/cve/CVE-2022-42011 https://access.redhat.com/security/cve/CVE-2022-42012 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-43680 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2023:0542-01
Product: RHOSSM
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0542
Issued Date: : 2023-01-30
CVE Names: CVE-2016-3709 CVE-2021-4238 CVE-2021-23648 CVE-2021-46848 CVE-2022-1304 CVE-2022-1705 CVE-2022-1962 CVE-2022-2879 CVE-2022-2880 CVE-2022-3515 CVE-2022-3962 CVE-2022-21673 CVE-2022-21698 CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-27664 CVE-2022-28131 CVE-2022-30293 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-32148 CVE-2022-32189 CVE-2022-35737 CVE-2022-37434 CVE-2022-39278 CVE-2022-41715 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-42898 CVE-2022-43680

Topic

Red Hat OpenShift Service Mesh 2.3.1 ContainersRed Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY

2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps

2148199 - CVE-2022-39278 Istio: Denial of service attack via a specially crafted message

2148661 - CVE-2022-3962 kiali: error message spoofing in kiali UI

2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-1977 - Support for Istio Gateway API in Kiali

OSSM-2083 - Update maistra/istio 2.3 to Istio 1.14.5

OSSM-2147 - Unexpected validation message on Gateway object

OSSM-2169 - Member controller doesn't retry on conflict

OSSM-2170 - Member namespaces aren't cleaned up when a cluster-scoped SMMR is deleted

OSSM-2179 - Wasm plugins only support OCI images with 1 layer

OSSM-2184 - Istiod isn't allowed to delete analysis distribution report configmap

OSSM-2188 - Member namespaces not cleaned up when SMCP is deleted

OSSM-2189 - If multiple SMCPs exist in a namespace, the controller reconciles them all

OSSM-2190 - The memberroll controller reconciles SMMRs with invalid name

OSSM-2232 - The member controller reconciles ServiceMeshMember with invalid name

OSSM-2241 - Remove v2.0 from Create ServiceMeshControlPlane Form

OSSM-2251 - CVE-2022-3962 openshift-istio-kiali-container: kiali: content spoofing [ossm-2.3]

OSSM-2308 - add root CA certificates to kiali container

OSSM-2315 - be able to customize openshift auth timeouts

OSSM-2324 - Gateway injection does not work when pods are created by cluster admins

OSSM-2335 - Potential hang using Traces scatterplot chart

OSSM-2338 - Federation deployment does not need router mode sni-dnat

OSSM-2344 - Restarting istiod causes Kiali to flood CRI-O with port-forward requests

OSSM-2375 - Istiod should log member namespaces on every update

OSSM-2376 - ServiceMesh federation stops working after the restart of istiod pod

OSSM-535 - Support validationMessages in SMCP

OSSM-827 - ServiceMeshMembers point to wrong SMCP name


Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved