-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Service Mesh security update Advisory ID: RHSA-2020:2362-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2020:2362 Issue date: 2020-06-02 CVE Names: CVE-2019-10744 CVE-2020-7598 CVE-2020-11022 CVE-2020-12459 ==================================================================== 1. Summary: An update for jaeger, kiali, and servicemesh-grafana is now available for OpenShift Service Mesh 1.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Service Mesh 1.0 - x86_64 Red Hat OpenShift Service Mesh 1.0 - x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Security Fix(es): * nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties (CVE-2019-10744) * nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598) * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties 1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1829724 - CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files 6. Package List: Red Hat OpenShift Service Mesh 1.0: Source: jaeger-v1.13.1.redhat7-1.el7.src.rpm kiali-v1.0.11.redhat1-1.el7.src.rpm x86_64: jaeger-v1.13.1.redhat7-1.el7.x86_64.rpm kiali-v1.0.11.redhat1-1.el7.x86_64.rpm OpenShift Service Mesh 1.0: Source: servicemesh-grafana-6.2.2-36.el8.src.rpm x86_64: servicemesh-grafana-6.2.2-36.el8.x86_64.rpm servicemesh-grafana-prometheus-6.2.2-36.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10744 https://access.redhat.com/security/cve/CVE-2020-7598 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/cve/CVE-2020-12459 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXtZyHtzjgjWX9erEAQhd5A//TyoftdvI85Wr9BoJQj50Oc51d80LU4hK ZUZKvODN6sYT/7Ufl4X6R4q4ytnlXiw3kO9sQhDe8Al/ptcIQKlggmZWm19lWhQh rPRsd26pJMrpdqVXeH2TYbzdZo0M/qMTzklsqGrTIArjQvnbaV5E2SkNPHrXMugw pzq8Grq5fOsJFpbcw3Yvj11HoabG7xN9KBH//FwrxhubYhDjOCMUG4uIBf9j2MFE uD/qkBA+iAUojHoHv7KuBKbikdswy/XqrMbq+NrGrHH4nQlb53DKi7+A+tm7HYf4 1xhBtOu5w8toehqXepja35bGVLHy/RhvtxEE5fzkpgKT0EFkC4khmNKzOTo/CS/1 lyakOa/zGx+jbywGuHGN7AS0x9cWYzXJjRnaCeT0+GRfKrQYOu9d7DWzDtM70i+w cMfZPb9vYq72jFAcjKFLiCJ3l3rRVzCAYi4yaE/CIGhQsISVmnhtzixLylb6fgPi ScvSSTAUydJFqhKFEhdb2ZnYGyCe0s47ITzgjttaE5EN0S+9gT+ZiEaoo/J2koKt g1A0ZHOf51USkzE7weIvmV1EUA7jR/8DbR4MC5y0F7US+8SzjHO4VK14VyZSmzQx WmBDIsScTVOzNMPIsATq5wV0D1LzciM8kJgdFu4rq3MhAolHB3Zj+qbzQEH8bs/X cW++XDZIkHk=OuZY -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce