Headline
RHSA-2022:1275: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.1.2 security update
Red Hat OpenShift Service Mesh 2.1.2 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-43824: envoy: Null pointer dereference when using JWT filter safe_regex match
- CVE-2021-43825: envoy: Use-after-free when response filters increase response data
- CVE-2021-43826: envoy: Use-after-free when tunneling TCP over HTTP
- CVE-2022-21654: envoy: Incorrect configuration handling allows mTLS session re-use without re-validation
- CVE-2022-21655: envoy: Incorrect handling of internal redirects to routes with a direct response entry
- CVE-2022-23606: envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service
- CVE-2022-23635: istio: unauthenticated control plane denial of service attack
- CVE-2022-24726: istio: Unauthenticated control plane denial of service attack due to stack exhaustion
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
- Red Hat CodeReady Studio
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-04-07
Updated:
2022-04-07
RHSA-2022:1275 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: Red Hat OpenShift Service Mesh 2.1.2 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Red Hat OpenShift Service Mesh 2.1.2
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Service Mesh is Red Hat’s distribution of the Istio service
mesh project, tailored for installation into an on-premise OpenShift Container
Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
- envoy: Incorrect configuration handling allows mTLS session re-use without re-validation (CVE-2022-21654)
- envoy: Incorrect handling of internal redirects to routes with a direct response entry (CVE-2022-21655)
- istio: Unauthenticated control plane denial of service attack due to stack exhaustion (CVE-2022-24726)
- envoy: Null pointer dereference when using JWT filter safe_regex match (CVE-2021-43824)
- envoy: Use-after-free when response filters increase response data (CVE-2021-43825)
- envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826)
- envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service (CVE-2022-23606)
- istio: unauthenticated control plane denial of service attack (CVE-2022-23635)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat OpenShift Service Mesh 2.1 for RHEL 8 x86_64
- Red Hat OpenShift Service Mesh for Power 2.1 for RHEL 8 ppc64le
- Red Hat OpenShift Service Mesh for IBM Z 2.1 for RHEL 8 s390x
Fixes
- BZ - 2050744 - CVE-2021-43824 envoy: Null pointer dereference when using JWT filter safe_regex match
- BZ - 2050746 - CVE-2021-43825 envoy: Use-after-free when response filters increase response data
- BZ - 2050748 - CVE-2021-43826 envoy: Use-after-free when tunneling TCP over HTTP
- BZ - 2050753 - CVE-2022-21654 envoy: Incorrect configuration handling allows mTLS session re-use without re-validation
- BZ - 2050757 - CVE-2022-21655 envoy: Incorrect handling of internal redirects to routes with a direct response entry
- BZ - 2050758 - CVE-2022-23606 envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service
- BZ - 2057277 - CVE-2022-23635 istio: unauthenticated control plane denial of service attack
- BZ - 2061638 - CVE-2022-24726 istio: Unauthenticated control plane denial of service attack due to stack exhaustion
- OSSM-1074 - Pod annotations defined in SMCP are not injected in the pods
- OSSM-1234 - RPM Release for Maistra 2.1.2
- OSSM-303 - Control Openshift Route Creation for ingress Gateways
CVEs
- CVE-2021-43824
- CVE-2021-43825
- CVE-2021-43826
- CVE-2022-21654
- CVE-2022-21655
- CVE-2022-23606
- CVE-2022-23635
- CVE-2022-24726
Red Hat OpenShift Service Mesh 2.1 for RHEL 8
SRPM
servicemesh-2.1.2-4.el8.src.rpm
SHA-256: 13d14eae923c00daf319b1fe8fa728ebff239bd330fc9dc0c462bd69adacc8fe
servicemesh-operator-2.1.2-4.el8.src.rpm
SHA-256: d32c7b24f2dc571981e12036162f06f43970bbbd4c84bd256daf3f00316d37df
servicemesh-prometheus-2.23.0-5.el8.src.rpm
SHA-256: abbe43a646ad35189c37ab4ebf5922ba20ca0bec9aa657d30d31b04a5a83aea8
servicemesh-proxy-2.1.2-4.el8.src.rpm
SHA-256: 9ea989f79293b8eb60ca4084cafe63128f6a8e93eb21806aaa069158813768ed
servicemesh-ratelimit-2.1.2-4.el8.src.rpm
SHA-256: dac895e8e5ed443222fe170b3ca6c9932c43c978a40341b0c7f5e7e7712fc88d
x86_64
servicemesh-2.1.2-4.el8.x86_64.rpm
SHA-256: 95e91ec577eebd2137dbc5967fda2fbc758ed08ec89b0dec9cd51c955a6bb991
servicemesh-cni-2.1.2-4.el8.x86_64.rpm
SHA-256: 77fb2bd8bbd4bdfecf0b5d37c457718a59509407ffdd38359d7c14b434048a41
servicemesh-operator-2.1.2-4.el8.x86_64.rpm
SHA-256: f7dedee97f7748f2a820dc7cf8234c7090d9a461183e91fa6b4919ad09e79e2d
servicemesh-pilot-agent-2.1.2-4.el8.x86_64.rpm
SHA-256: a6e38aa1e7bbf2b8e8dedf627ec184976ea2372a9b4b1a70139099897284a0cd
servicemesh-pilot-discovery-2.1.2-4.el8.x86_64.rpm
SHA-256: 9177029813be1473eef2dbf76660fe4b086963fe6e2a22f848a683c89553a6d8
servicemesh-prometheus-2.23.0-5.el8.x86_64.rpm
SHA-256: 344c695e513ecf57a247bd593c64aed328e07bbb383b8ecf1e6f1da9b970becc
servicemesh-proxy-2.1.2-4.el8.x86_64.rpm
SHA-256: 4b07f0477e3bf25d419b015735ad1cfa1bfb60cf5f93bee857700782211a64bc
servicemesh-proxy-debuginfo-2.1.2-4.el8.x86_64.rpm
SHA-256: b6993b41206706aef7de843123f452875cfc82be3f56a2f873379667910056dc
servicemesh-proxy-debugsource-2.1.2-4.el8.x86_64.rpm
SHA-256: cbfd0bba76e55a80a539f09697083db2655021b30d130566f4271cd132a91a82
servicemesh-proxy-wasm-2.1.2-4.el8.noarch.rpm
SHA-256: 8cc9329d7fc0fd108a5a7408214d3b4840491d79fc6143c12eccfaa0f6f8d86c
servicemesh-ratelimit-2.1.2-4.el8.x86_64.rpm
SHA-256: 5c954f0bc4906ca4815a85f8e58fff5c8432fdcdfcb679b6902add788b459470
Red Hat OpenShift Service Mesh for Power 2.1 for RHEL 8
SRPM
servicemesh-2.1.2-4.el8.src.rpm
SHA-256: 13d14eae923c00daf319b1fe8fa728ebff239bd330fc9dc0c462bd69adacc8fe
servicemesh-operator-2.1.2-4.el8.src.rpm
SHA-256: d32c7b24f2dc571981e12036162f06f43970bbbd4c84bd256daf3f00316d37df
servicemesh-prometheus-2.23.0-5.el8.src.rpm
SHA-256: abbe43a646ad35189c37ab4ebf5922ba20ca0bec9aa657d30d31b04a5a83aea8
servicemesh-proxy-2.1.2-4.el8.src.rpm
SHA-256: 9ea989f79293b8eb60ca4084cafe63128f6a8e93eb21806aaa069158813768ed
servicemesh-ratelimit-2.1.2-4.el8.src.rpm
SHA-256: dac895e8e5ed443222fe170b3ca6c9932c43c978a40341b0c7f5e7e7712fc88d
ppc64le
servicemesh-2.1.2-4.el8.ppc64le.rpm
SHA-256: 044a9e6e2784506976e94d3129c6bbb32f7ef212f1e924ade35e11fbbbbebdd2
servicemesh-cni-2.1.2-4.el8.ppc64le.rpm
SHA-256: 78c93adfc55fd5fb2ba378686410103dec969965ad767bc590840912bcda0ba8
servicemesh-operator-2.1.2-4.el8.ppc64le.rpm
SHA-256: 8701569b4c01b270f9ca047e4998f474a30e0ebb4242228ae881fa94d672bd00
servicemesh-pilot-agent-2.1.2-4.el8.ppc64le.rpm
SHA-256: f435991a4fba08c816b17d30cd3ee7f770279151a0d86243accf5942c080cb60
servicemesh-pilot-discovery-2.1.2-4.el8.ppc64le.rpm
SHA-256: 70a458441ce2aa1c5d7f0ed008999a239f4d4f382640f7ee3210902eb9b777d8
servicemesh-prometheus-2.23.0-5.el8.ppc64le.rpm
SHA-256: a92a521e94f8cec0eaaaff5830b5294f03c5738478366d2b3305b92f41957869
servicemesh-proxy-2.1.2-4.el8.ppc64le.rpm
SHA-256: 3bca07e3c01ae3cc04851bcb4ca338bf061f5b074bb56228d8a5c4e0c363a912
servicemesh-proxy-debuginfo-2.1.2-4.el8.ppc64le.rpm
SHA-256: d4b105dc4e1dfba0d112d6f54caa78be88c26e3ab3edbd856c9c7f2d7f912acd
servicemesh-proxy-debugsource-2.1.2-4.el8.ppc64le.rpm
SHA-256: 6e84cf5dae701b96e13e1df1d3a539d68d2f7a7020c3cd93f69350fe1f418546
servicemesh-proxy-wasm-2.1.2-4.el8.noarch.rpm
SHA-256: 8cc9329d7fc0fd108a5a7408214d3b4840491d79fc6143c12eccfaa0f6f8d86c
servicemesh-ratelimit-2.1.2-4.el8.ppc64le.rpm
SHA-256: 81646c8a39316f208accce4a7c2e0081a91c4b960ff3d4283620995f58da22c2
Red Hat OpenShift Service Mesh for IBM Z 2.1 for RHEL 8
SRPM
servicemesh-2.1.2-4.el8.src.rpm
SHA-256: 13d14eae923c00daf319b1fe8fa728ebff239bd330fc9dc0c462bd69adacc8fe
servicemesh-operator-2.1.2-4.el8.src.rpm
SHA-256: d32c7b24f2dc571981e12036162f06f43970bbbd4c84bd256daf3f00316d37df
servicemesh-prometheus-2.23.0-5.el8.src.rpm
SHA-256: abbe43a646ad35189c37ab4ebf5922ba20ca0bec9aa657d30d31b04a5a83aea8
servicemesh-proxy-2.1.2-4.el8.src.rpm
SHA-256: 9ea989f79293b8eb60ca4084cafe63128f6a8e93eb21806aaa069158813768ed
servicemesh-ratelimit-2.1.2-4.el8.src.rpm
SHA-256: dac895e8e5ed443222fe170b3ca6c9932c43c978a40341b0c7f5e7e7712fc88d
s390x
servicemesh-2.1.2-4.el8.s390x.rpm
SHA-256: 673ef08d0dbe425b8335a59c7c8969e1a57109614f62b580a85fadc9a602ed91
servicemesh-cni-2.1.2-4.el8.s390x.rpm
SHA-256: 0fa5448afc2b4145066d93536ddccd2a0cb322674ec4c4f7aa6606cb0d5bcbe8
servicemesh-operator-2.1.2-4.el8.s390x.rpm
SHA-256: f4c603162983ca51e9a6f53872430db59c57042b2272e3896415b300772f9d5e
servicemesh-pilot-agent-2.1.2-4.el8.s390x.rpm
SHA-256: 31046a2f63c15861b235c14b136836170ebc18bdd019deb1e3a7013effa95607
servicemesh-pilot-discovery-2.1.2-4.el8.s390x.rpm
SHA-256: ab4c0a5be2275f922a2824775b8a6231539a97812e52bcab8724291241264231
servicemesh-prometheus-2.23.0-5.el8.s390x.rpm
SHA-256: 4c76625412dea020d9ab0cf0c8a9adf37af9c6ee109f4aed82b4ec2df1c355d4
servicemesh-proxy-2.1.2-4.el8.s390x.rpm
SHA-256: 979bc43b6205c30a9ab8e96d37376a1b5e5e290d50650e1fc62e7bae5f91e867
servicemesh-proxy-debuginfo-2.1.2-4.el8.s390x.rpm
SHA-256: be5310229702fb6d0db3e3f18a0d3d70254ab1f926d7eceadd90685f7f950b17
servicemesh-proxy-debugsource-2.1.2-4.el8.s390x.rpm
SHA-256: 96f0faacd5788ff04f5970ad0acfa1908cf55d12baad10fb2bf40afd3439b837
servicemesh-proxy-wasm-2.1.2-4.el8.noarch.rpm
SHA-256: 8cc9329d7fc0fd108a5a7408214d3b4840491d79fc6143c12eccfaa0f6f8d86c
servicemesh-ratelimit-2.1.2-4.el8.s390x.rpm
SHA-256: 4991d721a11a42c22528e25ae885caf127ef87ad1d788db9f14ec0f3dd0122b6
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.