Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

RedHat OpenShift 2.3.1 RHSA-2023-0542 Important Denial of Service Fix

red hat
Calendar Grey January 30, 2023
Dist Redhat Esm H88
Red Hat OpenShift Service Mesh 2.3.1 has released a security update that rectifies significant vulnerabilities, notably those concerning potential denial of service threats.
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers container images for the release.
Security Fix(es):
* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238) * golang: archive/tar: unbounded memory consumption when reading headers(CVE-2022-2879) * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * Istio: Denial of service attack via a specially crafted message (CVE-2022-39278) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) * kiali: error message spoofing in kiali UI (CVE-2022-3962) * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, see the CVE page(s) listed in the Container CVEs section.

Topics%20covered

Topics Covered

security advisory denial of service security issue important Red Hat OpenShift service mesh container images

References

https://access.redhat.com/security/cve/CVE-2016-3709 https://access.redhat.com/security/cve/CVE-2021-4238 https://access.redhat.com/security/cve/CVE-2021-23648 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-3962 https://access.redhat.com/security/cve/CVE-2022-21673 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-21702 https://access.redhat.com/security/cve/CVE-2022-21703 https://access.redhat.com/security/cve/CVE-2022-21713 https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 Read the Full Advisory

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2023:0542-01
Product: RHOSSM
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0542
Issue date: 2023-01-30

Topic

Red Hat OpenShift Service Mesh 2.3.1 ContainersRed Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory denial of service security issue important Red Hat OpenShift service mesh container images

Relevant Releases Architectures

Bugs Fixed

2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY

2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps

2148199 - CVE-2022-39278 Istio: Denial of service attack via a specially crafted message

2148661 - CVE-2022-3962 kiali: error message spoofing in kiali UI

2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):

OSSM-1977 - Support for Istio Gateway API in Kiali

OSSM-2083 - Update maistra/istio 2.3 to Istio 1.14.5

OSSM-2147 - Unexpected validation message on Gateway object

OSSM-2169 - Member controller doesn't retry on conflict

OSSM-2170 - Member namespaces aren't cleaned up when a cluster-scoped SMMR is deleted

OSSM-2179 - Wasm plugins only support OCI images with 1 layer

OSSM-2184 - Istiod isn't allowed to delete analysis distribution report configmap

OSSM-2188 - Member namespaces not cleaned up when SMCP is deleted

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here