exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2023-0542-01

Red Hat Security Advisory 2023-0542-01
Posted Jan 31, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.

tags | advisory, denial of service, spoof, vulnerability
systems | linux, redhat
advisories | CVE-2016-3709, CVE-2021-23648, CVE-2021-4238, CVE-2021-46848, CVE-2022-1304, CVE-2022-1705, CVE-2022-1962, CVE-2022-21673, CVE-2022-21698, CVE-2022-21702, CVE-2022-21703, CVE-2022-21713, CVE-2022-22624, CVE-2022-22628
SHA-256 | d0ec81ac694e922500234d90eb37e90222ddaf5b72118f0b1c21008e8f27c7e2

Red Hat Security Advisory 2023-0542-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat OpenShift Service Mesh 2.3.1 Containers security update
Advisory ID: RHSA-2023:0542-01
Product: RHOSSM
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0542
Issue date: 2023-01-30
CVE Names: CVE-2016-3709 CVE-2021-4238 CVE-2021-23648
CVE-2021-46848 CVE-2022-1304 CVE-2022-1705
CVE-2022-1962 CVE-2022-2879 CVE-2022-2880
CVE-2022-3515 CVE-2022-3962 CVE-2022-21673
CVE-2022-21698 CVE-2022-21702 CVE-2022-21703
CVE-2022-21713 CVE-2022-22624 CVE-2022-22628
CVE-2022-22629 CVE-2022-22662 CVE-2022-26700
CVE-2022-26709 CVE-2022-26710 CVE-2022-26716
CVE-2022-26717 CVE-2022-26719 CVE-2022-27664
CVE-2022-28131 CVE-2022-30293 CVE-2022-30630
CVE-2022-30631 CVE-2022-30632 CVE-2022-30633
CVE-2022-30635 CVE-2022-32148 CVE-2022-32189
CVE-2022-35737 CVE-2022-37434 CVE-2022-39278
CVE-2022-41715 CVE-2022-42010 CVE-2022-42011
CVE-2022-42012 CVE-2022-42898 CVE-2022-43680
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.3.1 Containers

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

This advisory covers container images for the release.

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as
random as they should be (CVE-2021-4238)
* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879)
* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)
* Istio: Denial of service attack via a specially crafted message
(CVE-2022-39278)
* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)
* kiali: error message spoofing in kiali UI (CVE-2022-3962)
* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, see the CVE page(s)
listed in the Container CVEs section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2148199 - CVE-2022-39278 Istio: Denial of service attack via a specially crafted message
2148661 - CVE-2022-3962 kiali: error message spoofing in kiali UI
2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

5. JIRA issues fixed (https://issues.jboss.org/):

OSSM-1977 - Support for Istio Gateway API in Kiali
OSSM-2083 - Update maistra/istio 2.3 to Istio 1.14.5
OSSM-2147 - Unexpected validation message on Gateway object
OSSM-2169 - Member controller doesn't retry on conflict
OSSM-2170 - Member namespaces aren't cleaned up when a cluster-scoped SMMR is deleted
OSSM-2179 - Wasm plugins only support OCI images with 1 layer
OSSM-2184 - Istiod isn't allowed to delete analysis distribution report configmap
OSSM-2188 - Member namespaces not cleaned up when SMCP is deleted
OSSM-2189 - If multiple SMCPs exist in a namespace, the controller reconciles them all
OSSM-2190 - The memberroll controller reconciles SMMRs with invalid name
OSSM-2232 - The member controller reconciles ServiceMeshMember with invalid name
OSSM-2241 - Remove v2.0 from Create ServiceMeshControlPlane Form
OSSM-2251 - CVE-2022-3962 openshift-istio-kiali-container: kiali: content spoofing [ossm-2.3]
OSSM-2308 - add root CA certificates to kiali container
OSSM-2315 - be able to customize openshift auth timeouts
OSSM-2324 - Gateway injection does not work when pods are created by cluster admins
OSSM-2335 - Potential hang using Traces scatterplot chart
OSSM-2338 - Federation deployment does not need router mode sni-dnat
OSSM-2344 - Restarting istiod causes Kiali to flood CRI-O with port-forward requests
OSSM-2375 - Istiod should log member namespaces on every update
OSSM-2376 - ServiceMesh federation stops working after the restart of istiod pod
OSSM-535 - Support validationMessages in SMCP
OSSM-827 - ServiceMeshMembers point to wrong SMCP name

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2021-4238
https://access.redhat.com/security/cve/CVE-2021-23648
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-3962
https://access.redhat.com/security/cve/CVE-2022-21673
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-21702
https://access.redhat.com/security/cve/CVE-2022-21703
https://access.redhat.com/security/cve/CVE-2022-21713
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-39278
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-43680
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY9hF9dzjgjWX9erEAQgVqw//Stg1D6CmXORVB3KQRPVBqBAg2v2xsFJQ
gSdTiXyeXj0jkfR3BfNMmoSrtq+LdNKGdOQQoMc3Ax/0VX4zv31YBPT9y/ZvrqdU
+tOYlfFIkga6t6N6I07FrRsYl7Jhpg7necRKtyXgNSEfvcNjsQI/1JWbLyaXS9X6
CGVjHTPh02lGOmGhD6j4zg2nwgfmZBC57ttoJBDoWBbu/rSkj1y1tJxbX1A3cc8I
O+47o72xK9lOBXV4oaUkFcYEM4xsgaYaUs/i+W3YroO09uZTekhaQYGqdNl85Hr7
CIFYM9UVi+GPF1C/+nmk9WPgR+v+lxMF83aX2qKp51eb3InpgMx12NAbg5K7xY9f
qUTkOy4QIwfw6q4fIzvouJvv3Pc4wP9d/2DaZVCP8fWuxgeY5MBr7olI9HwvigOw
agZR1fxHac3ykLaxVLhMAS0kjnceyl0LCx8XhzDi/6oXp/jRVslu50wEiJY6W6Nt
Sn5okd1czmSX0TuMVymPz2fNeFuokQwm3hv3UbI3f8p5V0V6aym8uOAk1BDCD8Fa
Yob/i6+vjSt5WQ4VtsIikagyUp3zF0tY+Mm2aiSm53jO7N1hTWJTL7FwqbM9jZRG
imkQY29Hmq1x2QY7ugOncqO/A/mg+o+OyF8pCnbOhn/28lO59PHJSeUyKWhUmIVe
XTXcI0pFjvY=
=6NS9
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close