-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.2.10 security update
Advisory ID:       RHSA-2023:5175-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5175
Issue date:        2023-09-14
CVE Names:         CVE-2016-3709 CVE-2020-24736 CVE-2023-1667 
                   CVE-2023-2283 CVE-2023-2602 CVE-2023-2603 
                   CVE-2023-3899 CVE-2023-26604 CVE-2023-27536 
                   CVE-2023-28321 CVE-2023-28484 CVE-2023-29469 
                   CVE-2023-32681 CVE-2023-34969 CVE-2023-35941 
                   CVE-2023-35944 CVE-2023-35945 
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.2.10

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an OpenShift Container
Platform installation.

Security Fix(es):

* envoy: OAuth2 credentials exploit with permanent validity
(CVE-2023-35941)

* envoy: Incorrect handling of HTTP requests and responses with mixed case
schemes (CVE-2023-35944)

* envoy: HTTP/2 memory leak in nghttp2 codec (CVE-2023-35945)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2217977 - CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity
2217983 - CVE-2023-35945 envoy: HTTP/2 memory leak in nghttp2 codec
2217985 - CVE-2023-35944 envoy: Incorrect handling of HTTP requests and responses with mixed case schemes

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-4799 - Kiali base-image update for OSSM 2.2.10

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-2602
https://access.redhat.com/security/cve/CVE-2023-2603
https://access.redhat.com/security/cve/CVE-2023-3899
https://access.redhat.com/security/cve/CVE-2023-26604
https://access.redhat.com/security/cve/CVE-2023-27536
https://access.redhat.com/security/cve/CVE-2023-28321
https://access.redhat.com/security/cve/CVE-2023-28484
https://access.redhat.com/security/cve/CVE-2023-29469
https://access.redhat.com/security/cve/CVE-2023-32681
https://access.redhat.com/security/cve/CVE-2023-34969
https://access.redhat.com/security/cve/CVE-2023-35941
https://access.redhat.com/security/cve/CVE-2023-35944
https://access.redhat.com/security/cve/CVE-2023-35945
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJlA3q2AAoJENzjgjWX9erEdf0P/3QfCq+SJQ9z3HnMKY/9rgTo
c2cyIMdt0PZYwcd7jAdJ1Cad0g3Oevh8bDEYhmrvtV8nitGiryhJavjA+BDFP5NF
rSqRH9j2Tsp6OYvPCgHAM31A7FAQWSSBmaoCaad47qsmRGM2pyOoppxTJe7Nck2/
MU/m3eSRjHxeoZiEVsdc6O6KYiTbHuPlhoCRUzTC5DnNDPwEDMMt0XGPAeBhe75q
x4rFe0CkOpNyGhrGlpioUedajBluU0LpiqDOKoGU5ZkRlg7x2+2D5q9R7M2qaDUM
1PuQ/EJZewzk9BINio1YDU7xZIJ9CzKDS0NhqxZ/8scenGpVLrX4CVC3FAM4SzfY
tSkYn27WgwvyuTeioth8MdbMS4GOuUl4ebstlzVeD6zeqqvzSinA6tPz2LbAuyru
8rBad7xQPVuazWSBXzzlnbguM1t19vcinvAzU9SQtKvCwnQa4CYCzIO6KKaaG/Y7
f6s2pfMfyQlgTMLGE96xABUMK4G06IhlY78hcYCg+gmmU5q4JrLOCIV2IG7a/qZ0
52Mv3hHE0Orzn46bLjL0RLdGxyW8r+XpXHfyO3IoEATuygR1vxFpvCZHfPatbUwq
mWEOLRiCxq1RmXfjzPJlkNl/NCqNFwrGwZm0YrhPXSl1Ib9vo98wkqP2Eo2NuM2F
cSSMp7PgsLR/wqjocz1A
=SNT2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-5175:01 Important: Red Hat OpenShift Service Mesh 2.2.10

Red Hat OpenShift Service Mesh 2.2.10 Red Hat Product Security has rated this update as having a security impact of Important

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.
Security Fix(es):
* envoy: OAuth2 credentials exploit with permanent validity (CVE-2023-35941)
* envoy: Incorrect handling of HTTP requests and responses with mixed case schemes (CVE-2023-35944)
* envoy: HTTP/2 memory leak in nghttp2 codec (CVE-2023-35945)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2016-3709 https://access.redhat.com/security/cve/CVE-2020-24736 https://access.redhat.com/security/cve/CVE-2023-1667 https://access.redhat.com/security/cve/CVE-2023-2283 https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-3899 https://access.redhat.com/security/cve/CVE-2023-26604 https://access.redhat.com/security/cve/CVE-2023-27536 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/cve/CVE-2023-32681 https://access.redhat.com/security/cve/CVE-2023-34969 https://access.redhat.com/security/cve/CVE-2023-35941 https://access.redhat.com/security/cve/CVE-2023-35944 https://access.redhat.com/security/cve/CVE-2023-35945 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2023:5175-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5175
Issued Date: : 2023-09-14
CVE Names: CVE-2016-3709 CVE-2020-24736 CVE-2023-1667 CVE-2023-2283 CVE-2023-2602 CVE-2023-2603 CVE-2023-3899 CVE-2023-26604 CVE-2023-27536 CVE-2023-28321 CVE-2023-28484 CVE-2023-29469 CVE-2023-32681 CVE-2023-34969 CVE-2023-35941 CVE-2023-35944 CVE-2023-35945

Topic

Red Hat OpenShift Service Mesh 2.2.10Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2217977 - CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity

2217983 - CVE-2023-35945 envoy: HTTP/2 memory leak in nghttp2 codec

2217985 - CVE-2023-35944 envoy: Incorrect handling of HTTP requests and responses with mixed case schemes

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-4799 - Kiali base-image update for OSSM 2.2.10


Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved