Headline
RHSA-2022:5003: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.0.10 security update
An update is now available for Red Hat OpenShift Service Mesh 2.0.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-29224: envoy: Segfault in GrpcHealthCheckerImpl
- CVE-2022-29225: envoy: Decompressors can be zip bombed
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-06-13
Updated:
2022-06-13
RHSA-2022:5003 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: Red Hat OpenShift Service Mesh 2.0.10 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update is now available for Red Hat OpenShift Service Mesh 2.0.10.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Service Mesh is Red Hat’s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
- envoy: Decompressors can be zip bombed (CVE-2022-29225)
- envoy: Segfault in GrpcHealthCheckerImpl (CVE-2022-29224)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat OpenShift Service Mesh 2.0 for RHEL 8 x86_64
- Red Hat OpenShift Service Mesh for Power 2.0 for RHEL 8 ppc64le
- Red Hat OpenShift Service Mesh for IBM Z 2.0 for RHEL 8 s390x
Fixes
- BZ - 2088737 - CVE-2022-29225 envoy: Decompressors can be zip bombed
- BZ - 2088738 - CVE-2022-29224 envoy: Segfault in GrpcHealthCheckerImpl
- OSSM-1613 - RPM Release for Maistra 2.0.10
Red Hat OpenShift Service Mesh 2.0 for RHEL 8
SRPM
servicemesh-2.0.10-1.el8.src.rpm
SHA-256: c15370a41bba35f4367978f6f6866d342211e3a442c1f857e9b7b37375063200
servicemesh-cni-2.0.10-1.el8.src.rpm
SHA-256: 34f9395705805f097df68cf569d0e93bc467bac90a289bff9e2fdc91aa1b23f7
servicemesh-operator-2.0.10-1.el8.src.rpm
SHA-256: 549c8ab77d51fca51bf648d3ff39db3cf6fa9c461caa3fcb544007280001f4e4
servicemesh-prometheus-2.14.0-17.el8.1.src.rpm
SHA-256: fd6c7055c4751019c009214626a0a9d73e5b3db7cedd1d73cc362069bfe8f9f2
servicemesh-proxy-2.0.10-1.el8.src.rpm
SHA-256: 37f873de22f5ccf6b947cbdc65c163e76d646a7a05974e55e94213a15829e5a7
x86_64
servicemesh-2.0.10-1.el8.x86_64.rpm
SHA-256: 1471822360e298ed542f6b76921a78658676516079e59dc7e698a9e3440c8d58
servicemesh-cni-2.0.10-1.el8.x86_64.rpm
SHA-256: a2ccbb29f561a28430a92046f1329cd3b7b4dec70776a8ed60989b48381b131a
servicemesh-istioctl-2.0.10-1.el8.x86_64.rpm
SHA-256: c3eaf815a904631b15e5dc206e759003eb85d5a4d2cf7ecd8fc43dda0099682a
servicemesh-mixc-2.0.10-1.el8.x86_64.rpm
SHA-256: da14a722d6860713d9a91644061f781060fdd095470330e2414ab781c4fc8d75
servicemesh-mixs-2.0.10-1.el8.x86_64.rpm
SHA-256: cf87ea3243172d2b49fd06880bc817eb557bec9cbc3e4d17600beccb10715e02
servicemesh-operator-2.0.10-1.el8.x86_64.rpm
SHA-256: cef738c526d9b9a9df438f3a722b3d689b6b1cae7c6ae90a3bd531968f9859ba
servicemesh-pilot-agent-2.0.10-1.el8.x86_64.rpm
SHA-256: 63b205bf697e1f58e901098748a74e9bc2af7256f98a0eb7e02c1173106afebe
servicemesh-pilot-discovery-2.0.10-1.el8.x86_64.rpm
SHA-256: bfce48926583fa4e79f7f16174dba73cc3a4a5f1a1d244a8e521a416e0de94cf
servicemesh-prometheus-2.14.0-17.el8.1.x86_64.rpm
SHA-256: 1bd5eff5ff1303243b8a63d977ebe33b1fde34f92efd1144b4f102f4ad8d3610
servicemesh-proxy-2.0.10-1.el8.x86_64.rpm
SHA-256: 8a3a48a3f0a0597459e4810af010303ef6a794ac06ae0bd84c8c8b25a08fbdac
Red Hat OpenShift Service Mesh for Power 2.0 for RHEL 8
SRPM
servicemesh-2.0.10-1.el8.src.rpm
SHA-256: c15370a41bba35f4367978f6f6866d342211e3a442c1f857e9b7b37375063200
servicemesh-cni-2.0.10-1.el8.src.rpm
SHA-256: 34f9395705805f097df68cf569d0e93bc467bac90a289bff9e2fdc91aa1b23f7
servicemesh-operator-2.0.10-1.el8.src.rpm
SHA-256: 549c8ab77d51fca51bf648d3ff39db3cf6fa9c461caa3fcb544007280001f4e4
servicemesh-prometheus-2.14.0-17.el8.1.src.rpm
SHA-256: fd6c7055c4751019c009214626a0a9d73e5b3db7cedd1d73cc362069bfe8f9f2
servicemesh-proxy-2.0.10-1.el8.src.rpm
SHA-256: 37f873de22f5ccf6b947cbdc65c163e76d646a7a05974e55e94213a15829e5a7
ppc64le
servicemesh-2.0.10-1.el8.ppc64le.rpm
SHA-256: 1f1cde1077f41db4a3758301db53327d6c56642c6f115876ffe9aab685a2fb95
servicemesh-cni-2.0.10-1.el8.ppc64le.rpm
SHA-256: e5e23fd246b5b57c6805e37c83ca2979807cf273fcae02e6d43d1ce0aa8c6589
servicemesh-istioctl-2.0.10-1.el8.ppc64le.rpm
SHA-256: b91a0b482a31700521c5983a6527371943f55a79951646f5dcc2ade64ed495aa
servicemesh-mixc-2.0.10-1.el8.ppc64le.rpm
SHA-256: e385430a3dc4b8fddc3461510c4c01d56d756cc3eb6dd2bf776dc8510108f1e6
servicemesh-mixs-2.0.10-1.el8.ppc64le.rpm
SHA-256: f810afa5baab0aa4a1eb7ec1aa75b5bc24ee0a19468eee1919c425dbbf6eff6d
servicemesh-operator-2.0.10-1.el8.ppc64le.rpm
SHA-256: bfd8121ed3be610d6469e0aa19471bfb8e20311e9b1ff2f5259afe1539cec1d5
servicemesh-pilot-agent-2.0.10-1.el8.ppc64le.rpm
SHA-256: 8acb3f092a7a7ddec67d5a51077151b34cb0dfa43504bdf833cc6229882baa07
servicemesh-pilot-discovery-2.0.10-1.el8.ppc64le.rpm
SHA-256: 9ab2e7d041786e4e39e7303f83ece45ed3aaf65192454fb2375b22e73ec564a3
servicemesh-prometheus-2.14.0-17.el8.1.ppc64le.rpm
SHA-256: 63ca138557c4e78c0dfc1518977163c631e19f2ca6306f89d606c7f1c2d83b86
servicemesh-proxy-2.0.10-1.el8.ppc64le.rpm
SHA-256: 11d6384a161e5473459852fbb73cd8d9e178fa2e33c4cba14e1e32487c5358ed
Red Hat OpenShift Service Mesh for IBM Z 2.0 for RHEL 8
SRPM
servicemesh-2.0.10-1.el8.src.rpm
SHA-256: c15370a41bba35f4367978f6f6866d342211e3a442c1f857e9b7b37375063200
servicemesh-cni-2.0.10-1.el8.src.rpm
SHA-256: 34f9395705805f097df68cf569d0e93bc467bac90a289bff9e2fdc91aa1b23f7
servicemesh-operator-2.0.10-1.el8.src.rpm
SHA-256: 549c8ab77d51fca51bf648d3ff39db3cf6fa9c461caa3fcb544007280001f4e4
servicemesh-prometheus-2.14.0-17.el8.1.src.rpm
SHA-256: fd6c7055c4751019c009214626a0a9d73e5b3db7cedd1d73cc362069bfe8f9f2
servicemesh-proxy-2.0.10-1.el8.src.rpm
SHA-256: 37f873de22f5ccf6b947cbdc65c163e76d646a7a05974e55e94213a15829e5a7
s390x
servicemesh-2.0.10-1.el8.s390x.rpm
SHA-256: 4c77e2cc6496eb3dd370c3f0107712bd9855df2d1423981358b16f4130df516d
servicemesh-cni-2.0.10-1.el8.s390x.rpm
SHA-256: 2a6bed930e5b0dcf0a5fa75fe884670fdd0e84c52a265f467cdb14241a572b34
servicemesh-istioctl-2.0.10-1.el8.s390x.rpm
SHA-256: a80a1b87306ff42955049baef6d3b7a1872e8deaee95e56f1aa5248fbfbbc217
servicemesh-mixc-2.0.10-1.el8.s390x.rpm
SHA-256: 9ae34135912ba3dd8161666b0d4daf7cbf249c69bf7339f74c5091c1d9f00ce4
servicemesh-mixs-2.0.10-1.el8.s390x.rpm
SHA-256: a2e3493ad6d444626e24f3169381d40cdd7a8609f9c96a240f2afe67b0af34db
servicemesh-operator-2.0.10-1.el8.s390x.rpm
SHA-256: 3a31a4d26ed977eeacc15214855238c769b1e8460b4e06555118d8840b7423cc
servicemesh-pilot-agent-2.0.10-1.el8.s390x.rpm
SHA-256: dfd35929a03b827dd9bccc69d833937758db17e96b56a2fd7a4a0081a51882f3
servicemesh-pilot-discovery-2.0.10-1.el8.s390x.rpm
SHA-256: 9d5573a69a6fc069013b984dc84155d229e3def8feca5a12bd94f8defe2acb6a
servicemesh-prometheus-2.14.0-17.el8.1.s390x.rpm
SHA-256: 675cecd586e00e2680d487dad8db3020428ce096b90470fa8268646325ff341d
servicemesh-proxy-2.0.10-1.el8.s390x.rpm
SHA-256: 986683a92aed576a4ca8a0b75fe5c61fc10c51eaff3a96d4cf3bd024cda9005b
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Red Hat Security Advisory 2022-5004-01 - Red Hat OpenShift Service Mesh is a Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-5003-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release.
Red Hat Security Advisory 2022-5006-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a traversal vulnerability.
The DoS vulnerability allows an attacker to create a Brotli "zip bomb," resulting in acute performance issues on Envoy proxy servers.
Red Hat OpenShift Service Mesh 2.1.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1650: eventsource: Exposure of Sensitive Information * CVE-2022-23806: golang: crypto/elliptic IsOnCurve returns true for invalid field elements * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar
Red Hat OpenShift Service Mesh 2.1.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1650: eventsource: Exposure of Sensitive Information * CVE-2022-23806: golang: crypto/elliptic IsOnCurve returns true for invalid field elements * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar
Red Hat OpenShift Service Mesh 2.1.3 has been released. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23772: golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString * CVE-2022-23773: golang: cmd/go: misinterpretation of branch names can lead to incorrect access control * CVE-2022-23806: golang: crypto/elliptic IsOnCurve returns true for invalid field elements * CVE-2022-29224: envoy: Segfault in GrpcHealthCheckerImpl * CVE-2022...
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a segmentation fault in the GrpcHealthCheckerImpl. Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can “hold� (prevent removal) upstream hosts obtained via service discovery until configured active health checking fails. If an attacker controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.), an attacker can crash Envoy by forcing removal of the host from service discovery, and then failing the gRPC health check request. This will crash Envoy via a null pointer dereference. Users are advised to upgrade to resolve this vulnerability. Users unable to upgrade may disable gRPC health checking and/or replace it with a different health checking type as a mitigation.