Headline
RHSA-2022:1276: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.0.9 security update
Red Hat OpenShift Service Mesh 2.0.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
- CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
- CVE-2021-3121: gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
- CVE-2021-3749: nodejs-axios: Regular expression denial of service in trim function
- CVE-2021-29482: ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
- CVE-2021-29923: golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
- CVE-2021-36221: golang: net/http/httputil: panic due to racy read of persistConn after handler panic
- CVE-2021-43565: golang.org/x/crypto: empty plaintext packet causes panic
- CVE-2021-43824: envoy: Null pointer dereference when using JWT filter safe_regex match
- CVE-2021-43825: envoy: Use-after-free when response filters increase response data
- CVE-2021-43826: envoy: Use-after-free when tunneling TCP over HTTP
- CVE-2022-21654: envoy: Incorrect configuration handling allows mTLS session re-use without re-validation
- CVE-2022-21655: envoy: Incorrect handling of internal redirects to routes with a direct response entry
- CVE-2022-23606: envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service
- CVE-2022-23635: istio: unauthenticated control plane denial of service attack
- CVE-2022-24726: istio: Unauthenticated control plane denial of service attack due to stack exhaustion
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
- Red Hat CodeReady Studio
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-04-07
Updated:
2022-04-07
RHSA-2022:1276 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: Red Hat OpenShift Service Mesh 2.0.9 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Red Hat OpenShift Service Mesh 2.0.9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Service Mesh is Red Hat’s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
- gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
- envoy: Incorrect configuration handling allows mTLS session re-use without re-validation (CVE-2022-21654)
- envoy: Incorrect handling of internal redirects to routes with a direct response entry (CVE-2022-21655)
- istio: Unauthenticated control plane denial of service attack due to stack exhaustion (CVE-2022-24726)
- golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)
- golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)
- nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)
- ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482)
- golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
- golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)
- golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)
- envoy: Null pointer dereference when using JWT filter safe_regex match (CVE-2021-43824)
- envoy: Use-after-free when response filters increase response data (CVE-2021-43825)
- envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826)
- envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service (CVE-2022-23606)
- istio: unauthenticated control plane denial of service attack (CVE-2022-23635)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat OpenShift Service Mesh 2.0 for RHEL 8 x86_64
- Red Hat OpenShift Service Mesh for Power 2.0 for RHEL 8 ppc64le
- Red Hat OpenShift Service Mesh for IBM Z 2.0 for RHEL 8 s390x
Fixes
- BZ - 1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
- BZ - 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
- BZ - 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
- BZ - 1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
- BZ - 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
- BZ - 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
- BZ - 1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function
- BZ - 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
- BZ - 2050744 - CVE-2021-43824 envoy: Null pointer dereference when using JWT filter safe_regex match
- BZ - 2050746 - CVE-2021-43825 envoy: Use-after-free when response filters increase response data
- BZ - 2050748 - CVE-2021-43826 envoy: Use-after-free when tunneling TCP over HTTP
- BZ - 2050753 - CVE-2022-21654 envoy: Incorrect configuration handling allows mTLS session re-use without re-validation
- BZ - 2050757 - CVE-2022-21655 envoy: Incorrect handling of internal redirects to routes with a direct response entry
- BZ - 2050758 - CVE-2022-23606 envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service
- BZ - 2057277 - CVE-2022-23635 istio: unauthenticated control plane denial of service attack
- BZ - 2061638 - CVE-2022-24726 istio: Unauthenticated control plane denial of service attack due to stack exhaustion
CVEs
- CVE-2020-28851
- CVE-2020-28852
- CVE-2021-3121
- CVE-2021-3749
- CVE-2021-29482
- CVE-2021-29923
- CVE-2021-36221
- CVE-2021-43565
- CVE-2021-43824
- CVE-2021-43825
- CVE-2021-43826
- CVE-2022-21654
- CVE-2022-21655
- CVE-2022-23606
- CVE-2022-23635
- CVE-2022-24726
Red Hat OpenShift Service Mesh 2.0 for RHEL 8
SRPM
kiali-v1.24.7.redhat1-1.el8.src.rpm
SHA-256: b8de5fe0784c8a5c633820613e91da245ea398804241792205860fc9a7a199fa
servicemesh-2.0.9-3.el8.src.rpm
SHA-256: 8d9fdaa4d4252d0421be5e799df3b35aa70a0f9898b766bb480d8e4bc8b84b0b
servicemesh-cni-2.0.9-3.el8.src.rpm
SHA-256: 1ec911eb96f0106bdba5c1bd169b97fbe3a02e09c04b6b99feffe7e6f5a6fa8f
servicemesh-operator-2.0.9-3.el8.src.rpm
SHA-256: 9e429ae7a4b644360e9521e6691720c3c7586ecc026574f7a26f18b495f93a92
servicemesh-prometheus-2.14.0-16.el8.1.src.rpm
SHA-256: e21cb65fee1e2cf8bd885118d4cded9d079202ce600bbf6b5ae2b61bb58adf23
servicemesh-proxy-2.0.9-3.el8.src.rpm
SHA-256: a56204e88bb0ea12a288801720f7b429e194f6785546dd9f0acab3bf782444bc
x86_64
kiali-v1.24.7.redhat1-1.el8.x86_64.rpm
SHA-256: 97cd5e4a8ce6fefa7ec9e98d58c53a38651fb6aa439a5740a6db91634eae576b
servicemesh-2.0.9-3.el8.x86_64.rpm
SHA-256: 3f2a2610dd01c9d4cbeac67f99a8099086e2e88bb4c6c3200b88b18332eaba65
servicemesh-cni-2.0.9-3.el8.x86_64.rpm
SHA-256: b3f2f48f645b5a2ab0bd2596b7b8954871b86b3095f1eda1710f4437557b598d
servicemesh-istioctl-2.0.9-3.el8.x86_64.rpm
SHA-256: 60d991a20640358c6321b780e96f9ebd21ff7c220d79be31577ef15336c5f478
servicemesh-mixc-2.0.9-3.el8.x86_64.rpm
SHA-256: 6a55793028ed1a1c8782102e4917ff5a53da7c432fc6ba51ee11db1be90fb6af
servicemesh-mixs-2.0.9-3.el8.x86_64.rpm
SHA-256: 1f06db88840d5e7a30ad7152aaf39d00809699086174d92cd3135c8531d3b8de
servicemesh-operator-2.0.9-3.el8.x86_64.rpm
SHA-256: c473a65e409887252a72e30d4b4c4c9578451e8fe65f48f2d01a3ae0375354b0
servicemesh-pilot-agent-2.0.9-3.el8.x86_64.rpm
SHA-256: cd2e48ba23b37442bb255edb7fd86f7a1b69c22448c441a8984592a7d915aad2
servicemesh-pilot-discovery-2.0.9-3.el8.x86_64.rpm
SHA-256: 2754b8d452ffedff8aec908994a3ae45559d50b68ab6327d68af76209f393fae
servicemesh-prometheus-2.14.0-16.el8.1.x86_64.rpm
SHA-256: 18192a78958c90423561aa222d930a68fd27eaea5fa68f6e06befd598a5f1fb8
servicemesh-proxy-2.0.9-3.el8.x86_64.rpm
SHA-256: 20a46fe7273aa5a9e79a8755c2c096030eb05299bf0a0583bbfb39de1744d8af
Red Hat OpenShift Service Mesh for Power 2.0 for RHEL 8
SRPM
kiali-v1.24.7.redhat1-1.el8.src.rpm
SHA-256: b8de5fe0784c8a5c633820613e91da245ea398804241792205860fc9a7a199fa
servicemesh-2.0.9-3.el8.src.rpm
SHA-256: 8d9fdaa4d4252d0421be5e799df3b35aa70a0f9898b766bb480d8e4bc8b84b0b
servicemesh-cni-2.0.9-3.el8.src.rpm
SHA-256: 1ec911eb96f0106bdba5c1bd169b97fbe3a02e09c04b6b99feffe7e6f5a6fa8f
servicemesh-operator-2.0.9-3.el8.src.rpm
SHA-256: 9e429ae7a4b644360e9521e6691720c3c7586ecc026574f7a26f18b495f93a92
servicemesh-prometheus-2.14.0-16.el8.1.src.rpm
SHA-256: e21cb65fee1e2cf8bd885118d4cded9d079202ce600bbf6b5ae2b61bb58adf23
servicemesh-proxy-2.0.9-3.el8.src.rpm
SHA-256: a56204e88bb0ea12a288801720f7b429e194f6785546dd9f0acab3bf782444bc
ppc64le
kiali-v1.24.7.redhat1-1.el8.ppc64le.rpm
SHA-256: dcc38525d8de83f12e78d5ef2f9836950838f983e92690038d2c19c780a6416b
servicemesh-2.0.9-3.el8.ppc64le.rpm
SHA-256: 0693a5cf72110503d546e10af6965a93f23099e691f2d381a7112dca7357d61b
servicemesh-cni-2.0.9-3.el8.ppc64le.rpm
SHA-256: 275a73d495e2c91edc0c515c09a781e8735317fd9ae735af7c1824df3e0f7f0e
servicemesh-istioctl-2.0.9-3.el8.ppc64le.rpm
SHA-256: 15d4bd467fe8854d329edf6558af4027055b7189e9bb70bd583de0f8a528a907
servicemesh-mixc-2.0.9-3.el8.ppc64le.rpm
SHA-256: 142be46c1a3d4fcb4c56f3dc075132d7282331560051bda43bac29e79dad0b65
servicemesh-mixs-2.0.9-3.el8.ppc64le.rpm
SHA-256: 4d46847db4b5cb4b0ca02faae4689f56e6936ae219a8eebb6b5ee108d552e05d
servicemesh-operator-2.0.9-3.el8.ppc64le.rpm
SHA-256: dc67de898e1e06181fe6b41d6d06a2f9d8a6d7974760f399255a021f18c099e6
servicemesh-pilot-agent-2.0.9-3.el8.ppc64le.rpm
SHA-256: ba11c32a339aea89c183e1c888592b5bfb69efcf5f54f8b6d491934e27838cc7
servicemesh-pilot-discovery-2.0.9-3.el8.ppc64le.rpm
SHA-256: ad34f62a60e40cb98f37b7d0f32d074a7be4380252ee69b6b6ea19007f256dae
servicemesh-prometheus-2.14.0-16.el8.1.ppc64le.rpm
SHA-256: 522fec39eeb089c328323ae96aec9c892e6673716994eac2d57a9d858d99955e
servicemesh-proxy-2.0.9-3.el8.ppc64le.rpm
SHA-256: 1579296694fcd6d3286cb021cbf99af39d036b69860df9795cbd19013fe58c7f
Red Hat OpenShift Service Mesh for IBM Z 2.0 for RHEL 8
SRPM
kiali-v1.24.7.redhat1-1.el8.src.rpm
SHA-256: b8de5fe0784c8a5c633820613e91da245ea398804241792205860fc9a7a199fa
servicemesh-2.0.9-3.el8.src.rpm
SHA-256: 8d9fdaa4d4252d0421be5e799df3b35aa70a0f9898b766bb480d8e4bc8b84b0b
servicemesh-cni-2.0.9-3.el8.src.rpm
SHA-256: 1ec911eb96f0106bdba5c1bd169b97fbe3a02e09c04b6b99feffe7e6f5a6fa8f
servicemesh-operator-2.0.9-3.el8.src.rpm
SHA-256: 9e429ae7a4b644360e9521e6691720c3c7586ecc026574f7a26f18b495f93a92
servicemesh-prometheus-2.14.0-16.el8.1.src.rpm
SHA-256: e21cb65fee1e2cf8bd885118d4cded9d079202ce600bbf6b5ae2b61bb58adf23
servicemesh-proxy-2.0.9-3.el8.src.rpm
SHA-256: a56204e88bb0ea12a288801720f7b429e194f6785546dd9f0acab3bf782444bc
s390x
kiali-v1.24.7.redhat1-1.el8.s390x.rpm
SHA-256: 22b9614655cce9561ea1599ffedcbbc27c9a8fed7121e0b38a4f73bc375923a6
servicemesh-2.0.9-3.el8.s390x.rpm
SHA-256: 8d635eb4134acf98e7def7dac2826838afa1e2dd2bdc37795f1d3a4983579389
servicemesh-cni-2.0.9-3.el8.s390x.rpm
SHA-256: 02a23b8da0d20a51afefebde60152901e1f8d3796cf36f2b8cb56cdffe84bcef
servicemesh-istioctl-2.0.9-3.el8.s390x.rpm
SHA-256: 0e71c545464a096b6f07ba9d6e99deae8e0c0338b4d9c301f5f39e20a4d60d3f
servicemesh-mixc-2.0.9-3.el8.s390x.rpm
SHA-256: d6ad07e23bf581e3410cb74cb3880dee174536aaafb590b294fab5af4ff18db2
servicemesh-mixs-2.0.9-3.el8.s390x.rpm
SHA-256: fe38f15c301faab2b7bd06f22d7bc0948011ca56443ddba85d5b6090444b235e
servicemesh-operator-2.0.9-3.el8.s390x.rpm
SHA-256: 157656e947504eb8fbb8b71409c8a94b07491b1a636b0649389fe2f53726ff09
servicemesh-pilot-agent-2.0.9-3.el8.s390x.rpm
SHA-256: a744a1a4edc8c59f4ee7efc6b42c3613c4191778a49f6e97c9867c5035be552b
servicemesh-pilot-discovery-2.0.9-3.el8.s390x.rpm
SHA-256: 31d4634170cb8e6482f8b564c0bcd8934410b58c414d7f2f146cad221f59371b
servicemesh-prometheus-2.14.0-16.el8.1.s390x.rpm
SHA-256: 645a56a11b6d3587f8c91cbfba3e31295708982c683c09d08f78331fb8605106
servicemesh-proxy-2.0.9-3.el8.s390x.rpm
SHA-256: 88b860a2c4da72fd0e59d31e19833c52f9f0edc789969bb9be9560b0d48d34bb
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.