Red Hat OpenShift 2.2.9 Advisory RHSA-2023:4623-01 Important: Envoy Issues
red hat
August 11, 2023
Red Hat OpenShift Service Mesh 2.2.9 Red Hat Product Security has rated this update as having a security impact of Important
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Summary
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an OpenShift Container
Platform installation.
Security Fix(es):
* envoy: Client may fake the header `x-envoy-original-path`
(CVE-2023-27487)
* envoy: envoy doesn't escape HTTP header values (CVE-2023-27493)
* envoy: gRPC client produces invalid protobuf when an HTTP header with
non-UTF8 value is received (CVE-2023-27488)
* envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream
(CVE-2023-27491)
* envoy: Crash when a large request body is processed in Lua filter
(CVE-2023-27492)
* envoy: Crash when a redirect url without a state param is received in the
oauth filter (CVE-2023-27496)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2023-27487 https://access.redhat.com/security/cve/CVE-2023-27488 https://access.redhat.com/security/cve/CVE-2023-27491 https://access.redhat.com/security/cve/CVE-2023-27492 https://access.redhat.com/security/cve/CVE-2023-27493 https://access.redhat.com/security/cve/CVE-2023-27496 https://access.redhat.com/security/updates/classification/#important
Package List
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2023:4623-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4623
Issue date: 2023-08-11
Topic
Red Hat OpenShift Service Mesh 2.2.9Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topics Covered
Relevant Releases Architectures
Bugs Fixed
2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`
2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream
2179139 - CVE-2023-27492 envoy: Crash when a large request body is processed in Lua filter
2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter
2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received
2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!