-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat OpenShift Service Mesh 1.0.3 RPMs security update Advisory ID: RHSA-2019:4222-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2019:4222 Issue date: 2019-12-11 CVE Names: CVE-2019-18801 CVE-2019-18802 CVE-2019-18838 ==================================================================== 1. Summary: Red Hat OpenShift Service Mesh 1.0.3. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Service Mesh 1.0 - x86_64 Red Hat OpenShift Service Mesh 1.0 - x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the OpenShift Service Mesh 1.0.3 release. Security Fix(es): * An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1 (CVE-2019-18801) * Malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (CVE-2019-18802) * Malformed HTTP request without the Host header may cause abnormal termination of the Envoy process (CVE-2019-18838) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: The OpenShift Service Mesh release notes provide information on the features and known issues: https://docs.openshift.com/container-platform/4.2/service_mesh/servicemesh- release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1773444 - CVE-2019-18801 envoy: an untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1 1773447 - CVE-2019-18802 envoy: malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure 1773449 - CVE-2019-18838 envoy: malformed HTTP request without the Host header may cause abnormal termination of the Envoy process 6. Package List: Red Hat OpenShift Service Mesh 1.0: Source: kiali-v1.0.8.redhat1-1.el7.src.rpm x86_64: kiali-v1.0.8.redhat1-1.el7.x86_64.rpm OpenShift Service Mesh 1.0: Source: servicemesh-1.0.3-1.el8.src.rpm servicemesh-cni-1.0.3-1.el8.src.rpm servicemesh-grafana-6.2.2-25.el8.src.rpm servicemesh-operator-1.0.3-1.el8.src.rpm servicemesh-prometheus-2.7.2-26.el8.src.rpm servicemesh-proxy-1.0.3-1.el8.src.rpm x86_64: servicemesh-1.0.3-1.el8.x86_64.rpm servicemesh-citadel-1.0.3-1.el8.x86_64.rpm servicemesh-cni-1.0.3-1.el8.x86_64.rpm servicemesh-galley-1.0.3-1.el8.x86_64.rpm servicemesh-grafana-6.2.2-25.el8.x86_64.rpm servicemesh-grafana-prometheus-6.2.2-25.el8.x86_64.rpm servicemesh-istioctl-1.0.3-1.el8.x86_64.rpm servicemesh-mixc-1.0.3-1.el8.x86_64.rpm servicemesh-mixs-1.0.3-1.el8.x86_64.rpm servicemesh-operator-1.0.3-1.el8.x86_64.rpm servicemesh-pilot-agent-1.0.3-1.el8.x86_64.rpm servicemesh-pilot-discovery-1.0.3-1.el8.x86_64.rpm servicemesh-prometheus-2.7.2-26.el8.x86_64.rpm servicemesh-proxy-1.0.3-1.el8.x86_64.rpm servicemesh-sidecar-injector-1.0.3-1.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-18801 https://access.redhat.com/security/cve/CVE-2019-18802 https://access.redhat.com/security/cve/CVE-2019-18838 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfFfotzjgjWX9erEAQivZA/+Jhhsr9G9X/W+5IXLe1iUzXvE61kJDYAg XoruYZ3hIGVf3h5hRqHOSzmb5oaAGRwyyjvikbUPXP7FqbTKfLD3Ly7eZExhpT2X GEMLVbeZKIppchI7rpKgswIcy9ukph5HBuxC2Z3TGMJm1wPKzUmhlDhvivlfNuy/ AnsxGrDLdRRwBtXsIsWhg1pcXqMJ/k/wpjwV2RRfm45cE9+ua1ZBLfT+DlUhXmVR hsFJboy1Ltge8Ag4J+Sl/EhNSC+6IAF0djpXpPj3QZxg2CRg0sscci9MfqZMCBIF b/bvRr6ZaIvrCvyr8dfyHAViv1kaz3y9Y7oyBeI33tXWHwMm18WN1fGSldMD6Gu6 vvD2YscwroqvhHjNYdsUEp3HGIAD0Gzo8S5MJS4gcLVpjl7wJ3V2jeH3sFgFmSez DhRrc3/ytWtMHcVTR3PB4lHoeV9BYPxv68d57/Z74ihZanG/UAHclCYx1xHLNYQ7 O96yQz9sC/zCJnHiuP1SsOc0TUvDtAdNg7hAMS8iN8QOTfA925adyyV0aRMczIAD zyTZXmBnbQ0zusrCcfUReGOzedmWM7VG2R24Wy3TSxXUJJZBRjC4mLaZtDIiRAYl s8LOWEpJMFZaTzHQBYAYxxH7iaBQG3FDogC6f4GzM6VQE7xM7/Hw65TtpnL2rOUe xmyOjC5UusE=fYm1 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce