The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the agents[] parameter in the set_add_agent_leaves AJAX function before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

CVE-2023-2805

The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the `id` parameter for an Agent in the REST API before using it in an SQL statement, leading to an SQL Injection exploitable by users with a role as low as Subscriber.

CVE-2023-2719

The QueryWall: Plug'n Play Firewall WordPress plugin through 1.1.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

CVE-2023-2492

Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.
* CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
* CVE-2022-28327: An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability.
* CVE-2022-32148: A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality.
* CVE-2022-41715: A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
* CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.


Issued:

2023-06-19

Updated:

2023-06-19

**RHSA-2023:3664 - Security Advisory**

*   Overview
*   Updated Images

**Synopsis**

Moderate: OpenShift Jenkins image and Jenkins agent base image security update

**Type/Severity**

Security Advisory: Moderate

**Topic**

Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image.  

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

**Description**

Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.  

Security Fix(es):  

*   golang: net/http: An attacker can cause excessive memory growth in a Go

server accepting HTTP/2 requests (CVE-2022-41717)  

*   golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
*   golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
*   golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
*   golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
*   golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

**Solution**

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.  

For details on how to apply this update, refer to:  

https://access.redhat.com/articles/11258

**Affected Products**

*   OpenShift Developer Tools and Services 4.11 x86\_64
*   OpenShift Developer Tools and Services 4.11 s390x
*   OpenShift Developer Tools and Services 4.11 ppc64le
*   OpenShift Developer Tools and Services 4.11 aarch64

**Fixes**

*   BZ - 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
*   BZ - 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
*   BZ - 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
*   BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
*   BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
*   BZ - 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
*   OCPBUGS-11182 - Jenkins images based on rhel8 are wrongly tagged with rhel7
*   OCPBUGS-13653 - \[release-4.11\] Bump Jenkins and Plugin versions
*   OCPBUGS-14114 - Update ImageStreams to use new Jenkins and Jenkins Agent Base images
*   OCPBUGS-1438 - \[release-411\] Jenkins install-plugins script does not ignore updates to locked plugin versions
*   OCPBUGS-14646 - Bump Jenkins plugins to latest versions

**CVEs**

*   CVE-2021-3782
*   CVE-2021-46848
*   CVE-2022-1304
*   CVE-2022-1705
*   CVE-2022-2795
*   CVE-2022-2880
*   CVE-2022-3627
*   CVE-2022-3970
*   CVE-2022-28327
*   CVE-2022-32148
*   CVE-2022-35737
*   CVE-2022-36227
*   CVE-2022-41715
*   CVE-2022-41717
*   CVE-2022-42898
*   CVE-2022-47629
*   CVE-2023-0361
*   CVE-2023-2491
*   CVE-2023-22490
*   CVE-2023-23946
*   CVE-2023-24329
*   CVE-2023-25652
*   CVE-2023-25815
*   CVE-2023-27535
*   CVE-2023-29007

**aarch64**

ocp-tools-4/jenkins-agent-base-rhel8@sha256:0aa40f00ce3a9d9dad422e00eb3e726d5fa25d5fa86f94ff3db4aa55ec776b13

ocp-tools-4/jenkins-rhel8@sha256:c2367f2d7e31a0d984436cb9688de80d35191b4fae450780405ca26be64fa33d

**ppc64le**

ocp-tools-4/jenkins-agent-base-rhel8@sha256:0fd1b4e1b169778f676fdceac6d8d8eec3ded32abe503933909bdf3e65707c2f

ocp-tools-4/jenkins-rhel8@sha256:986d150664d8705598f3864737164141b41ed87806374d8f6f44829ffea2673b

**s390x**

ocp-tools-4/jenkins-agent-base-rhel8@sha256:f60d566ae257cc302b0d4dc83f434bd8630bf80f760a7c144ddc347071b77fbf

ocp-tools-4/jenkins-rhel8@sha256:4af748991937f5510f9b82a122eb1a854be311f67aaa99b58ccb628b03a8fe22

**x86\_64**

ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e8bc685e43e595fc98e420d7187a8b9de0bbc7c6d27bf683d806cedccb6a4c4

ocp-tools-4/jenkins-rhel8@sha256:e93d570f858c6608fe9dc76fb8019b4d48fc6db8ca885e59c769bacac3a636bb

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2023:3664: Red Hat Security Advisory: OpenShift Jenkins image and Jenkins agent base image security update

VirtualSquare picoTCP (aka PicoTCP-NG) through 2.1 does not properly check whether header sizes would result in accessing data outside of a packet.

Expand Up

@@ -868,6 +868,9 @@ static inline void tcp\_parse\_option\_mss(struct pico\_socket\_tcp \*t, uint8\_t len,

if (tcpopt\_len\_check(idx, len, PICO\_TCPOPTLEN\_MSS) < 0)

return;

  

if ((\*idx + PICO\_TCPOPTLEN\_MSS) > len)

return;

  

t->mss\_ok = 1;

mss = short\_from(opt + \*idx);

\*idx += (uint32\_t)sizeof(uint16\_t);

Expand Down Expand Up

@@ -896,6 +899,10 @@ static int tcp\_parse\_options(struct pico\_frame \*f)

uint8\_t \*opt = f->transport\_hdr + PICO\_SIZE\_TCPHDR;

uint32\_t i = 0;

f->timestamp = 0;

  

if (f->buffer + f->buffer\_len > f->transport\_hdr + f->transport\_len)

return -1;

  

while (i < (f->transport\_len - PICO\_SIZE\_TCPHDR)) {

uint8\_t type = opt\[i++\];

uint8\_t len;

Expand Down

CVE-2023-35849: More checks for correct header sizes · virtualsquare/picotcp@4b9a167

To properly secure DNS infrastructure, organizations need strong security hygiene and records management, as well as DNS traffic monitoring and filtering.

As a core backbone of the infrastructure, Domain Name Service (DNS) acts as the phone book of the Internet. It helps route users hunting for a specific domain name and connects them to the resources of the IP address connected to that domain. When it runs the way it is supposed to, it is nearly invisible to the typical user — and even to many technical administrators. This lends an air of obscure simplicity that leads many organizations to assume that DNS is a background service that doesn't require more than basic protection and is covered by other Web and email defenses.

That couldn't be further from the truth. A new report from Dark Reading outlines the threats against DNS and what organizations should do to secure DNS infrastructure.

Some of the most common DNS attacks include:

*   Denial of service, which overwhelms DNS services with traffic to disrupt or disable DNS service at an organization.
*   DNS cache poisoning, which manipulates the DNS cache to redirect users trying to go to a legitimate domain to a malicious IP address.
*   DNS hijacking, which changes the DNS records of a domain to redirect users to a malicious IP.
*   DNS tunneling, which leverages outbound DNS traffic to smuggle malicious data from malware exploitation back to attackers' C2 infrastructure.
*   Dangling DNS, which takes over an unused subdomain on cloud and other infrastructure to impersonate a brand or use as a foothold for other attacks.

To ensure the proper security of DNS infrastructure, organizations need a solid combination of strong security hygiene around DNS infrastructure and records management, close monitoring of DNS traffic, effective filtering, and deployment of more advanced protocols, like DNSSEC. The cost of not employing these measures can be high. The average cost of a successful DNS attack is upward of $1 million.

When attacks happen, sometimes the best that many organizations can do is to literally pull the plug on their DNS or network infrastructure.

The Dark Reading report, "Everything You Need to Know About DNS Attacks," explores the nuances of the DNS security awareness gap, including why organizations are struggling to implement a full slate of DNS security measures and what it will take to combat these common DNS attacks. The report examines how to harden DNS infrastructure from attacks, the importance of creating more visibility around DNS, and how DNS protection measures can actually be used to improve other areas of cybersecurity awareness.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Getting Over the DNS Security Awareness Gap

The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot.

Friday, June 16, 2023 14:06

*   Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023.
*   Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads.
*   The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments, and Microsoft has attributed these attacks to the same group, according to public reporting.
*   Two more vulnerabilities have since been found in MOVEit Transfer solutions, CVE-2023-35036 and CVE-2023-35708, although at this time, they are reportedly not being actively exploited.

**CVE-2023-34362 details and ongoing exploitation**

On May 31, the Progress Software Corporation released a security advisory warning customers of a vulnerability in internet-facing and on-premises instances of their MOVEit Transfer solution, which could lead to escalated privileges and potential unauthorized access to an environment. The vulnerability, CVE-2023-34362, has been actively exploited since May 27, but the threat actors may have begun experimenting to compromise it as early as 2021.

As of late May, there were approximately 2,500 exposed MOVEit instances primarily located in the U.S., according to public reporting, highlighting its prevalence in enterprise environments.

**Vulnerability details**

The MOVEit Transfer vulnerability, CVE-2023-34362, covers multiple flaws that an attacker can chain together to achieve RCE with elevated privileges. The first part of the exploit chain uses SQL injection to obtain a sysadmin API token. That token can then be used to call a deserialization function that does not properly validate input, allowing for remote code execution.

A second vulnerability, CVE-2023-35036, was assigned and Progress Software released patches and an advisory addressing this issue. Patches for CVE-2023-35036 are meant to mitigate multiple parts of the successful exploit chain initially discovered to have been used during the exploitation of the first vulnerability, CVE-2023-34362.

On June 15, 2023, another vulnerability was identified, CVE-2023-35708. Progress Software is in the process of releasing installable patches for this issue although DLL drop-ins.

**Ongoing exploitation**

The Clop ransomware group released a public statement on their Tor data leak site on June 5, claiming responsibility for the attacks and threatening to publish victims’ data if the extortion demand is not paid. The group provided a deadline of June 14 for victims to initiate contact or else their company name would be posted on the data leak site as a warning. At this time, no data has been published but they have begun publicly naming and shaming affected companies.

  
In this activity, the Clop ransomware group exploited CVE-2023-34362 to install a previously unknown web shell now dubbed “LemurLoot”.

Written in C#, LemurLoot is designed to exfiltrate data and execute on systems running MOVEit Transfer. The web shell is deployed with a hardcoded, 36-character GUID-formatted value used to authenticate incoming connection requests from the threat actor. The authentication code value must be present in the “X-siLock-Comment” header field without which an HTTP 404 error code will be returned to the operator. If the value is correct, the web shell confirms it can accept taskings and connects to an attacker-controlled SQL server.

LemurLoot uses the header field “X-siLock-Step1’ to receive the commands from the operator. There are two well-defined commands: -1 and -2. The fields “X-siLock-Step2’ and  “X-siLock-Step3” are used to hold parameters to be used when no command has been defined.

**_Command “-1”:_** _LemurLoot retrieves Azure system settings from MOVEit Transfer and performs SQL queries to retrieve files._

**_Command “-2”:_** _LemureLoot deletes a user account with the LoginName and RealName set to "Health Check Service"._

For any other values of “X-siLock-Step1,” the web shell will open a file specified by the folder and file name in “X-siLock-Step2”, and “X-siLock-Step3” respectively and retrieve it for the operator.

If no values of “X-siLock-Step2” and “X-siLock-Step3” are specified, then the web shell creates the “Health Check Service” admin user and creates an active session.

**Recommendations  
**

Progress Software Corporation offers several mitigations for safeguarding against potential exploitation of this vulnerability and best practices for network security:

*   Please refer to the advisories for CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 to apply corresponding patches.
*   Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
*   Delete unauthorized files and user accounts and reset service account credentials.
*   Continuously monitor networks for early detection in the event of a compromise.
*   Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
*   Update remote access policies to only allow inbound connections from known and trusted IP addresses, and use certificate-based access control.
*   Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user's account password is lost, stolen, or compromised.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing the following Snort SIDs to protect against this threat:

*   61876 - 61879
*   61936
*   300582, 300583

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

*   Win.Ransomware.Clop-6881304-0
*   Win.Ransomware.Clop-6887770-0

**IOCs  
****Webshell (LemurLoot)**

702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0  
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead  
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a  
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195  
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272  
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d  
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a  
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5  
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e

Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group

TP-Link Archer AX10(EU)_V1.2_230220 was discovered to contain a buffer overflow via the function FUN_131e8 - 0x132B4.

\# Exploit Title: Buffer Overflow in TP-Link Archer AX10(EU)\_V1.2\_230220

\# Exploit Author: Giuseppe Compare

\# Date : 26/05/2023

\# CVE: CVE-2023-34832

\# Vendor Homepage: https://www.tp-link.com/

\# Version: TP-Link Archer AX10(EU)\_V1.2\_230220

Buffer Overflow

There is a buffer overflow in the FUN\_131e8 function due to using sprintf improperly, detailed in line 47-49

memset(&DAT\_000283a4,0,0x800);

sprintf(&DAT\_000283a4,"echo \\'\[ %s \] %d: get OCN v6plus rules begin\\n \\' > /dev/console", "https\_get\_rules\_OCN",0x3c3); system(&DAT\_000283a4);

//line 47-49

sprintf((char \*)&local\_428, "https://rule.map.ocn.ad.jp/?ipv6Prefix=%s&ipv6PrefixLength=%d&code=e8mMWklYwaGoHmT05ynqVM4kPqF9rAUnhrWCp1vWvBeSOO0pfpMokg==" ,param\_2 + 0x23,param\_2\[0x2d\]);

The sprintf() function makes no guarantees regarding the length of the generated string, a sufficiently long string passed as an additional argument could generate a buffer overflow.

Remediation

Guarantee that storage for strings has sufficient space for character data and the null terminator.

Avoid using unsafe functions such as sprintf(), consider using snprintf() or sprintf\_s() and variants.

Double check that your buffer is as large as you specify.

Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.

CVE-2023-34832: CVE-2023-34832 : Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220

TP-Link Archer version AX10(EU)_V1.2_230220 suffers from a buffer overflow vulnerability.

    # Exploit Title: Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220# Exploit Author: Giuseppe Compare# Date : 26/05/2023# CVE: CVE-2023-34832# Vendor Homepage: https://www.tp-link.com/# Version: TP-Link Archer AX10(EU)_V1.2_230220Buffer OverflowThere is a buffer overflow in the FUN_131e8 function due to using sprintf improperly, detailed in line 47-49memset(&DAT_000283a4,0,0x800);sprintf(&DAT_000283a4,"echo \'[ %s ] %d: get OCN v6plus rules begin\n \' > /dev/console", "https_get_rules_OCN",0x3c3); system(&DAT_000283a4); //line 47-49sprintf((char *)&local_428, "https://rule.map.ocn.ad.jp/?ipv6Prefix=%s&ipv6PrefixLength=%d&code=e8mMWklYwaGoHmT05ynqVM4kPqF9rAUnhrWCp1vWvBeSOO0pfpMokg==" ,param_2 + 0x23,param_2[0x2d]);The sprintf() function makes no guarantees regarding the length of the generated string, a sufficiently long string passed as an additional argument could generate a buffer overflow.RemediationGuarantee that storage for strings has sufficient space for character data and the null terminator.Avoid using unsafe functions such as sprintf(), consider using snprintf() or sprintf_s() and variants.Double check that your buffer is as large as you specify.Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.

TP-Link Archer AX10(EU)_V1.2_230220 Buffer Overflow

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh Containers for 2.4.0  
Advisory ID:       RHSA-2023:3644-01  
Product:           RHOSSM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3644  
Issue date:        2023-06-15  
CVE Names:         CVE-2021-4235 CVE-2022-1705 CVE-2022-2795  
                   CVE-2022-2879 CVE-2022-2880 CVE-2022-2995  
                   CVE-2022-3162 CVE-2022-3172 CVE-2022-3204  
                   CVE-2022-3259 CVE-2022-3466 CVE-2022-27664  
                   CVE-2022-30631 CVE-2022-32148 CVE-2022-32189  
                   CVE-2022-32190 CVE-2022-36227 CVE-2022-39229  
                   CVE-2022-41715 CVE-2023-24540 CVE-2023-27535  
====================================================================  
1. Summary:

Red Hat OpenShift Service Mesh Containers for 2.4.0

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio  
service mesh project, tailored for installation into an on-premise  
OpenShift Container Platform installation.

This advisory covers container images for the release.

Security Fix(es):

* golang: html/template: improper handling of JavaScript whitespace  
(CVE-2023-24540)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-1094 - Htpasswd secret created in control plane namespace is using SHA1  
OSSM-1667 - Remove deprecated cipher suites  
OSSM-2128 - Exclude some accessible namespaces in Kiali CR with some labelSelector  
OSSM-2215 - istio-cni-node never updates kubeconfig causing error adding container to network \"v2-0-istio-cni\": Unauthorized  
OSSM-2221 - Gateway injection does not work in control plane namespace  
OSSM-2254 - Fix and deprecate IOR  
OSSM-2274 - If two SMCPs exist in a namespace and you delete one, all child resources are deleted  
OSSM-2325 - Disable prometheus in the minimal example CR  
OSSM-2339 - Deprecated istio-operator API call in CNV  
OSSM-2420 - Pod locality controller fails to update pod  
OSSM-2436 - istio-operator reports as ready before it really is  
OSSM-3246 - Promote ClusterWide to GA  
OSSM-3288 - Implement prometheus extension provider  
OSSM-3291 - Implement envoyExtAuthzHttp extension provider  
OSSM-331 - Service Mesh IPv6 Single Stack Support  
OSSM-3419 - Align OSSM 2.4 with latest upstream Istio 1.16.5 release  
OSSM-3747 - Duplicate env vars in egress gateway deployment  
OSSM-3784 - Bad ownerReference in k8s Gateway Deployment & Service  
OSSM-3802 - GA discoverySelectors (move out of techPreview.meshConfig)  
OSSM-3803 - Move extensionProviders to SMCP.spec.meshConfig.extensionProviders  
OSSM-3870 - OSSM must-gather improvements  
OSSM-3873 - [KIALI] Kiali ingress.host accepted in the SMCP but is not configured properly in Kiali CR  
OSSM-3934 - Prometheus and grafana not reachable from kiali  
OSSM-3986 - Kiali does not display all the data when SMCP is deployed with Cluster Wide mode  
OSSM-4037 - kiali operator base image bump  
OSSM-4069 - Kiali route is missing with 2.2 Control Plane in 2.4 Operator on OpenShift 4.13  
OSSM-566 - Supported integration with OpenShift Monitoring and BYO Prometheus  
OSSM-568 - Integration with (external) cert-manager

6. References:

https://access.redhat.com/security/cve/CVE-2021-4235  
https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-2795  
https://access.redhat.com/security/cve/CVE-2022-2879  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-2995  
https://access.redhat.com/security/cve/CVE-2022-3162  
https://access.redhat.com/security/cve/CVE-2022-3172  
https://access.redhat.com/security/cve/CVE-2022-3204  
https://access.redhat.com/security/cve/CVE-2022-3259  
https://access.redhat.com/security/cve/CVE-2022-3466  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/cve/CVE-2022-32189  
https://access.redhat.com/security/cve/CVE-2022-32190  
https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2022-39229  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2023-24540  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZIuxO9zjgjWX9erEAQhxLg//cqi5JYtCAvOoMpkcoFT/rTGhn2s7EmPX  
gCNYy/Gv1EESdc4WLJs/96vXWpnRF1XA1Z+Jrn6Ojd1OcRVikWjpXtzM+2cKNoCA  
HZMvyxRe4R0QlcBb17XZYDN0plU+H24UGDMHengwY45K5ZRWfw7/vb3Gna3VwUgk  
QALQk0WLqiJUSDy0CAaFwZNKUZKZmKCmQudm8dbECA+pCKTYS22bfbuE4o2jtcTA  
PmFZ5sDIKTuWuzHtxT5Urbx+g6rgijP3xP1JqZXzuI9ExH7eeS7e1Sk8rH2MOXH2  
E9VDmAsi2p7ffdaLRILHYPdLtt88wiE0kLjBof7i7OMBSoX70l3UEwvy9g96udbl  
a/GsvnKkrpEnxXyPxUm4HQQ5xHPEaFIZlAwGSwnZ7CPS0wkWu3vN513ccMF+wsgx  
BokeK739WjxblJRsf/fTujflEMmOzIzsM6N3yDY51hs2lAl1NFZSCjFUTwjuoNNK  
7CgMoWkbCDRc0tGWvu82gJfZPnlw7lRPHYAVSNkMAPQsODTyk8FEoY9Sj8UtnI5C  
qKwo7TdYjTwrivRCoQJJcNZJxW6RY2NSZNev3WviJuM+tssXXkOCJaD6Eguy6UhO  
PElcfkRdRJW5HevW+u56ngGfBUb091Zyes7bN8E0AwFBI1CBvjzWgEFTM1i2Ce/+  
A6ybAfZVB68=0l+j  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#perl