-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Service Mesh Containers for 2.3.2 security update
Advisory ID:       RHSA-2023:1448-01
Product:           RHOSSM
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1448
Issue date:        2023-03-23
CVE Names:         CVE-2020-10735 CVE-2021-28861 CVE-2021-46848 
                   CVE-2022-4415 CVE-2022-35737 CVE-2022-40303 
                   CVE-2022-40304 CVE-2022-40897 CVE-2022-41717 
                   CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 
                   CVE-2022-43680 CVE-2022-45061 CVE-2022-47629 
                   CVE-2022-48303 CVE-2023-23916 
====================================================================
1. Summary:

Red Hat OpenShift Service Mesh Containers for 2.3.2

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

This advisory covers container images for the release.

Security Fix(es):

* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-1330 - Allow specifying secret as pilot server cert when using CertificateAuthority: Custom
OSSM-2342 - Run OSSM operator on infrastructure nodes
OSSM-2371 - Kiali in read-only mode still can change the log level of the envoy proxies
OSSM-2373 - Can't login to Kiali with "Error trying to get OAuth metadata"
OSSM-2374 - Deleting a SMM also deletes the SMMR in OpenShift Service Mesh
OSSM-2492 - Default tolerations in SMCP not passed to Jaeger
OSSM-2493 - Default nodeSelector and tolerations in SMCP not passed to Kiali
OSSM-3317 - Error: deployment.accessible_namespaces set to ['**']

6. References:

https://access.redhat.com/security/cve/CVE-2020-10735
https://access.redhat.com/security/cve/CVE-2021-28861
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-4415
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-40303
https://access.redhat.com/security/cve/CVE-2022-40304
https://access.redhat.com/security/cve/CVE-2022-40897
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-43680
https://access.redhat.com/security/cve/CVE-2022-45061
https://access.redhat.com/security/cve/CVE-2022-47629
https://access.redhat.com/security/cve/CVE-2022-48303
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZBzBgdzjgjWX9erEAQg+RA//U81YTWP1rgG9WS9tC680BqAEEIPxsu+m
EYKP0RuNAIRQ2I75GKo3V6NPanherwNzJLOlf4rbfcYH+YtrMWvTDlo+BRZ4vqiK
+LsWBg79XkcJKq2er7NJ9ZJsz2PYiEHVhUdLmlg5aVvi1AJMSfimVxvNTKPR39LU
r/dUsF3uThlY3jcaSsix0CiawOtS8pfV9xKx4wUtbI1HoKHOODjRIz34AZEdldP+
TSxILtPstiAw4LsEWUBPcGd0LSAtA8apMa8c5Hqtr8Sv0EaF1HRqp2jF1JvI/YIF
3o7nW9POMOCl+6MHHQ5RSHKdGwj8NDtkCwIgGoaMLE4KeTIWyA82V7Scx51Hkcpj
eBj1bPI7HPwglage6XM/gVJrGy5RucGL7HRQjYa3e+g7az3rtT0cVGdIKUXEiNaF
t3oBrvQWFCvjpc/9zRdWX48H+S1rPz67enUvpAnMT4/xh4+4A50LZXOD7rzlScy7
yKw2ZuSqvEd8IQDwNGvL1syS45QVda0DkiWDgJBu0I9JMFAZsklwqE2EHmWtP455
iTZF+ihoEKNH/OACDLYYYqWqCEhav7YTXcVsoF7jb5fM2cJyfHjdBWnqDhUQTSS1
5N5uptv3bCSo/fwbvr1SXFUto4Gpt/G2fPHH2pTm2FKg9GRgJRpzQFZyg5L69UDG
fLr0RtMPl5A=B2kJ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-1448:01 Moderate: Red Hat OpenShift Service Mesh

Red Hat OpenShift Service Mesh Containers for 2.3.2 Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers container images for the release.
Security Fix(es):
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-10735 https://access.redhat.com/security/cve/CVE-2021-28861 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-4415 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-40303 https://access.redhat.com/security/cve/CVE-2022-40304 https://access.redhat.com/security/cve/CVE-2022-40897 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-42010 https://access.redhat.com/security/cve/CVE-2022-42011 https://access.redhat.com/security/cve/CVE-2022-42012 https://access.redhat.com/security/cve/CVE-2022-43680 https://access.redhat.com/security/cve/CVE-2022-45061 https://access.redhat.com/security/cve/CVE-2022-47629 https://access.redhat.com/security/cve/CVE-2022-48303 https://access.redhat.com/security/cve/CVE-2023-23916 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2023:1448-01
Product: RHOSSM
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1448
Issued Date: : 2023-03-23
CVE Names: CVE-2020-10735 CVE-2021-28861 CVE-2021-46848 CVE-2022-4415 CVE-2022-35737 CVE-2022-40303 CVE-2022-40304 CVE-2022-40897 CVE-2022-41717 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-43680 CVE-2022-45061 CVE-2022-47629 CVE-2022-48303 CVE-2023-23916

Topic

Red Hat OpenShift Service Mesh Containers for 2.3.2Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-1330 - Allow specifying secret as pilot server cert when using CertificateAuthority: Custom

OSSM-2342 - Run OSSM operator on infrastructure nodes

OSSM-2371 - Kiali in read-only mode still can change the log level of the envoy proxies

OSSM-2373 - Can't login to Kiali with "Error trying to get OAuth metadata"

OSSM-2374 - Deleting a SMM also deletes the SMMR in OpenShift Service Mesh

OSSM-2492 - Default tolerations in SMCP not passed to Jaeger

OSSM-2493 - Default nodeSelector and tolerations in SMCP not passed to Kiali

OSSM-3317 - Error: deployment.accessible_namespaces set to ['**']


Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved