Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3685 Red Hat OpenShift Service Mesh 2.1.3 security update 28 July 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenShift Service Mesh 2.1.3 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-31045 CVE-2022-29228 CVE-2022-29226 CVE-2022-29225 CVE-2022-29224 CVE-2022-23806 CVE-2022-23773 CVE-2022-23772 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:5004 Comment: CVSS (Max): 10.0 CVE-2022-29226 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N Note: Recent issues with access to Red Hat advisories has resulted in some delayed reporting. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat OpenShift Service Mesh 2.1.3 security update Advisory ID: RHSA-2022:5004-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2022:5004 Issue date: 2022-06-13 CVE Names: CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-29224 CVE-2022-29225 CVE-2022-29226 CVE-2022-29228 CVE-2022-31045 ===================================================================== 1. Summary: Red Hat OpenShift Service Mesh 2.1.3 has been released. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Service Mesh 2.1 - noarch, ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Service Mesh is a Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Security Fix(es): * envoy: oauth filter allows trivial bypass (CVE-2022-29226) * envoy: Decompressors can be zip bombed (CVE-2022-29225) * envoy: oauth filter calls continueDecoding() from within decodeHeaders() (CVE-2022-29228) * golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772) * golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773) * golang: crypto/elliptic IsOnCurve returns true for invalid field elements (CVE-2022-23806) * envoy: Segfault in GrpcHealthCheckerImpl (CVE-2022-29224) * Istio: Unsafe memory access in metadata exchange (CVE-2022-31045) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, see the CVE page listed in the References section. 4. Solution: The OpenShift Service Mesh Release Notes provide information on the features and known issues. See the link in the References section. 5. Bugs fixed (https://bugzilla.redhat.com/): 2053429 - CVE-2022-23806 golang: crypto/elliptic IsOnCurve returns true for invalid field elements 2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString 2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control 2088737 - CVE-2022-29225 envoy: Decompressors can be zip bombed 2088738 - CVE-2022-29224 envoy: Segfault in GrpcHealthCheckerImpl 2088739 - CVE-2022-29226 envoy: oauth filter allows trivial bypass 2088740 - CVE-2022-29228 envoy: oauth filter calls continueDecoding() from within decodeHeaders() 2088819 - CVE-2022-31045 Istio: Unsafe memory access in metadata exchange. 6. JIRA issues fixed (https://issues.jboss.org/): OSSM-1107 - Take jwksResolverExtraRootCA out of TechPreview OSSM-1614 - RPM Release for Maistra 2.1.3 7. Package List: OpenShift Service Mesh 2.1: Source: servicemesh-2.1.3-1.el8.src.rpm servicemesh-operator-2.1.3-2.el8.src.rpm servicemesh-prometheus-2.23.0-7.el8.src.rpm servicemesh-proxy-2.1.3-1.el8.src.rpm servicemesh-ratelimit-2.1.3-1.el8.src.rpm noarch: servicemesh-proxy-wasm-2.1.3-1.el8.noarch.rpm ppc64le: servicemesh-2.1.3-1.el8.ppc64le.rpm servicemesh-cni-2.1.3-1.el8.ppc64le.rpm servicemesh-operator-2.1.3-2.el8.ppc64le.rpm servicemesh-pilot-agent-2.1.3-1.el8.ppc64le.rpm servicemesh-pilot-discovery-2.1.3-1.el8.ppc64le.rpm servicemesh-prometheus-2.23.0-7.el8.ppc64le.rpm servicemesh-proxy-2.1.3-1.el8.ppc64le.rpm servicemesh-proxy-debuginfo-2.1.3-1.el8.ppc64le.rpm servicemesh-proxy-debugsource-2.1.3-1.el8.ppc64le.rpm servicemesh-ratelimit-2.1.3-1.el8.ppc64le.rpm s390x: servicemesh-2.1.3-1.el8.s390x.rpm servicemesh-cni-2.1.3-1.el8.s390x.rpm servicemesh-operator-2.1.3-2.el8.s390x.rpm servicemesh-pilot-agent-2.1.3-1.el8.s390x.rpm servicemesh-pilot-discovery-2.1.3-1.el8.s390x.rpm servicemesh-prometheus-2.23.0-7.el8.s390x.rpm servicemesh-proxy-2.1.3-1.el8.s390x.rpm servicemesh-proxy-debuginfo-2.1.3-1.el8.s390x.rpm servicemesh-proxy-debugsource-2.1.3-1.el8.s390x.rpm servicemesh-ratelimit-2.1.3-1.el8.s390x.rpm x86_64: servicemesh-2.1.3-1.el8.x86_64.rpm servicemesh-cni-2.1.3-1.el8.x86_64.rpm servicemesh-operator-2.1.3-2.el8.x86_64.rpm servicemesh-pilot-agent-2.1.3-1.el8.x86_64.rpm servicemesh-pilot-discovery-2.1.3-1.el8.x86_64.rpm servicemesh-prometheus-2.23.0-7.el8.x86_64.rpm servicemesh-proxy-2.1.3-1.el8.x86_64.rpm servicemesh-proxy-debuginfo-2.1.3-1.el8.x86_64.rpm servicemesh-proxy-debugsource-2.1.3-1.el8.x86_64.rpm servicemesh-ratelimit-2.1.3-1.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2022-23772 https://access.redhat.com/security/cve/CVE-2022-23773 https://access.redhat.com/security/cve/CVE-2022-23806 https://access.redhat.com/security/cve/CVE-2022-29224 https://access.redhat.com/security/cve/CVE-2022-29225 https://access.redhat.com/security/cve/CVE-2022-29226 https://access.redhat.com/security/cve/CVE-2022-29228 https://access.redhat.com/security/cve/CVE-2022-31045 https://access.redhat.com/security/updates/classification/#critical https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYuFj49zjgjWX9erEAQgckw//dWuW9UCVvebhaNN2VyMupXOGEXMXlBp2 RUbS4wp6/7x9c8UOvcBWhZORVzZ+MNRYp2137Otb0YB17LTs8VAzsLiU5bTvc//y CE4Cwfqg/RPoNOFZHnjHDRoldK42L0Wqon/+e6fYbjRL8ECbwnMOLl3qKbhuigi1 tLm5naN3Y7U4F+R6Fgi7iniL9cYmAd+Y3BlDij8Wf6PJSHUfSh6PaduYgnXavS7p u6Vzg3QKqFDKyU2nXKNSB9VsJ7mMs0Nza6tfpAwhoIO36D54NqgTCBMgxKdnohhM ZIBVqFVAxABDKlsMoMG2dfJR7c+aHTGC4PC53b/KTU+f+F9uBbk5OpXEjCODe+K3 4mmq3CoeTKE+HGhb3hCbO+X3jhG2wWK8fRcgsYagbszH5zHqnfM5YDVYvH/EMlun gXcS/sFoATqwf2nxenPYzQrkJKwUBL+74jWLshK44PvlR0n1EWUPGrHeMymGWWz8 8BB9e6GVEqPRqW2AQKkuEqardLZRHuERkP9g6GSfxi7pXU5phDWF+c3tC5klGhew ffIvOsvBmcpov+5W+p4vHTNW/3gATrCDFvT9fJBOMGLNk6LzTHqoxqB5Ev+qgRBo UcZRaTlTTwiBf5NcYTBPLvoqjilahFpA1kKkN/YTCHePtHy7bY1L8MveVsV6MW0d a36YRXXR0Dc= =demi - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYuHCvskNZI30y1K9AQhhzBAAsaRdiq/NFZs5J2lV8A5ifDDHFzURSDP1 jdKxRFXhJtvxASvY4G+5WO/f2xH0YumbI/0cYjfv9TwSZoX0o5QNMiPfboP0CH5z 5AUR58ko7L89TF6KCS8xGi22GWW4VTw2bNr42JYAXrMn5wWKhnzI1sYk5H7TlVVW q6WQw6Mm5VreCfOntD90dQ97I59Xx8irM3t9OWNdjtBzzfm2S8oUTcL0m2vd+ila u3/oJLp3LDGUY6O8Oxo1piz+r3vWwdpM4XXOcVnxT82pHRQ7QgvWvsglIebIdLDV mNuPOxHFbhuvHg0Tu5TclIYeg4d41Uu4MZbBzoC7K8UBxphYAFZRCAwJaxyu9Ovv R/jLlsOqTXtli5kHiX5GYtrG+ARedjEwVnuU+KsIBlA0zWkWuSEc6Zb1fSqMslZI ZVl3BeOr5enf9GPLrOpp1ljVFmH9Tph47DuGXABcrHeyoW1umvATvjekWY17F9Qy LK7GD01Pz1bICZC3Z7GVNbPEBl0etG/2homJriQA5b5wV8gqghkeidgCKkQecbIm sRpOQ5tVANDWYyJFtfcKpBALNd40irkHtvfm3q5EZIMEZ8+IX6QddqsS6tzrrBEK mZR5338hhlfAKCi/tBqhi9GS89oKf40wgugD+RfdKR8qGIMAToDCtPLxGx943oGF LBG5pv7Kgqk= =A6iR -----END PGP SIGNATURE-----