-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.2.9  security update
Advisory ID:       RHSA-2023:4623-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4623
Issue date:        2023-08-11
CVE Names:         CVE-2023-27487 CVE-2023-27488 CVE-2023-27491 
                   CVE-2023-27492 CVE-2023-27493 CVE-2023-27496 
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.2.9

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an OpenShift Container
Platform installation.

Security Fix(es):

* envoy: Client may fake the header `x-envoy-original-path`
(CVE-2023-27487)

* envoy: envoy doesn't escape HTTP header values (CVE-2023-27493)

* envoy: gRPC client produces invalid protobuf when an HTTP header with
non-UTF8 value is received (CVE-2023-27488)

* envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream
(CVE-2023-27491)

* envoy:  Crash when a large request body is processed in Lua filter
(CVE-2023-27492)

* envoy: Crash when a redirect url without a state param is received in the
oauth filter (CVE-2023-27496)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`
2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream
2179139 - CVE-2023-27492 envoy:  Crash when a large request body is processed in Lua filter
2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter
2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received
2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values

5. References:

https://access.redhat.com/security/cve/CVE-2023-27487
https://access.redhat.com/security/cve/CVE-2023-27488
https://access.redhat.com/security/cve/CVE-2023-27491
https://access.redhat.com/security/cve/CVE-2023-27492
https://access.redhat.com/security/cve/CVE-2023-27493
https://access.redhat.com/security/cve/CVE-2023-27496
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk1pfaAAoJENzjgjWX9erE16UP/Az3YBHc2BsjRSY0/48IyI49
PZ8yFpBCQMocY7dnts48iFeeVZtQlFruLzOOvGWvaKyPCSiyC0XtTg/6sw71XCaf
bpOsMXNV75ggf0tTO6JEgGqD326pdOnYqXMUfBnxvgtqQ/Ej1kyGCig+c7bEcvB0
l0m4NsAo224h8U33fnOPbgP/m/0elWCTcZbOUBLd+qRqwE9edZX4Chd+3l3pq5kg
zJHLKHui/q+dAIqgsoK6CznTglUXuFQlYpu+vlAomrMGED7kx3t7QgttmhlL7krl
rKIBgJml3nottyavLGmdCBiuklBlcNNV6LHZNkIEaIaH7Hlgbcb0AWHcOr97KXxQ
K1ZpIdNOX0IDgltC3cGWbmiNmM45KSWKjCTUKXPiD0jlIxbuDIrqT25tOlNw4nRa
R4hoiJUvUBl33zcg0q1JZmr9iYA7kKmrQUTgjMaFersmaeVaALBsmwdmTasaAsC0
jdNzrbRB2JCnozPUphYff6Zc0iIKKPmMKtAWDzdyor0eQ+7sPfXNyND2WC5OQtVS
oLK/juc7CxQkMhOI09goLFMSUEO7czvKzdr5rzG8s1D7JHNtPLlCy2D0X4jAXIKD
Ca53KIpxVrEUpmrApFvZscITKSyEGt0pouxEh2mFU6Op1ZcnONOeDXz7+KVfQTZZ
3+soC5oF43vm3/r9KJAz
=xctn
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-4623:01 Important: Red Hat OpenShift Service Mesh 2.2.9

Red Hat OpenShift Service Mesh 2.2.9 Red Hat Product Security has rated this update as having a security impact of Important

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.
Security Fix(es):
* envoy: Client may fake the header `x-envoy-original-path` (CVE-2023-27487)
* envoy: envoy doesn't escape HTTP header values (CVE-2023-27493)
* envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received (CVE-2023-27488)
* envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream (CVE-2023-27491)
* envoy: Crash when a large request body is processed in Lua filter (CVE-2023-27492)
* envoy: Crash when a redirect url without a state param is received in the oauth filter (CVE-2023-27496)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2023-27487 https://access.redhat.com/security/cve/CVE-2023-27488 https://access.redhat.com/security/cve/CVE-2023-27491 https://access.redhat.com/security/cve/CVE-2023-27492 https://access.redhat.com/security/cve/CVE-2023-27493 https://access.redhat.com/security/cve/CVE-2023-27496 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2023:4623-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4623
Issued Date: : 2023-08-11
CVE Names: CVE-2023-27487 CVE-2023-27488 CVE-2023-27491 CVE-2023-27492 CVE-2023-27493 CVE-2023-27496

Topic

Red Hat OpenShift Service Mesh 2.2.9Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`

2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream

2179139 - CVE-2023-27492 envoy: Crash when a large request body is processed in Lua filter

2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter

2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received

2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values


Related News

22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved