Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

Red Hat OpenShift 2.2.7 Moderate Advisory: RHSA-2023-3645-01

red hat
Calendar Grey June 16, 2023
Dist Redhat Esm H88
The recent update to Red Hat OpenShift Service Mesh version 2.2.7 tackles several moderate security vulnerabilities. Discover additional details about these security flaws.
Red Hat OpenShift Service Mesh 2.2.7 Red Hat Product Security has rated this update as having a security impact of Moderate

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
* mongo-go-driver: specific cstrings input may not be properly validated (CVE-2021-20329) * async: Prototype Pollution in async (CVE-2021-43138) * express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999) * terser: insecure use of regular expressions leads to ReDoS (CVE-2022-25858)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

https://access.redhat.com/security/cve/CVE-2021-20329 https://access.redhat.com/security/cve/CVE-2021-43138 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-24999 https://access.redhat.com/security/cve/CVE-2022-25858 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-39229 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/updates/classification#moderate

Package List


Advisory ID: RHSA-2023:3645-01
Product: RHOSSM
Issue date: 2023-06-15

Topic

Red Hat OpenShift Service Mesh 2.2.7Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated

2126276 - CVE-2021-43138 async: Prototype Pollution in async

2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS

2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process

5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):

OSSM-3596 - Port istio-cni fix for RHEL9 to maistra-2.2

OSSM-3720 - Port egress-gateway wrong network gateway endpoints fix in maistra-2.2

OSSM-3783 - operator can deadlock when istiod deployment fails [maistra-2.2]

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.