- Issued:
- 2019-12-11
- Updated:
- 2019-12-11
RHSA-2019:4222 - Security Advisory
Synopsis
Critical: Red Hat OpenShift Service Mesh 1.0.3 RPMs security update
Type/Severity
Security Advisory: Critical
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Red Hat OpenShift Service Mesh 1.0.3.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers the RPM packages for the OpenShift Service Mesh 1.0.3 release.
Security Fix(es):
- An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1 (CVE-2019-18801)
- Malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (CVE-2019-18802)
- Malformed HTTP request without the Host header may cause abnormal termination of the Envoy process (CVE-2019-18838)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
The OpenShift Service Mesh release notes provide information on the features and known issues:
https://docs.openshift.com/container-platform/4.2/service_mesh/servicemesh-release-notes.html
Affected Products
- Red Hat OpenShift Service Mesh 1.0 for RHEL 8 x86_64
- Red Hat OpenShift Service Mesh 1.0 for RHEL 7 x86_64
Fixes
- BZ - 1773444 - CVE-2019-18801 envoy: an untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1
- BZ - 1773447 - CVE-2019-18802 envoy: malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure
- BZ - 1773449 - CVE-2019-18838 envoy: malformed HTTP request without the Host header may cause abnormal termination of the Envoy process
Red Hat OpenShift Service Mesh 1.0 for RHEL 8
| SRPM | |
|---|---|
| servicemesh-1.0.3-1.el8.src.rpm | SHA-256: 74648bd0c31396f67eabf343bf29e3e1fff5ad2bf12c9bebee65f7e135c64462 |
| servicemesh-cni-1.0.3-1.el8.src.rpm | SHA-256: ba0bdec0eb6272116be50f3d979e794ac08b4f65745707404891ba962fee1759 |
| servicemesh-grafana-6.2.2-25.el8.src.rpm | SHA-256: 65d0526af87442bcb40f6dda651b11585aab3569c4d5f91e54dc1eebb7ead4f1 |
| servicemesh-operator-1.0.3-1.el8.src.rpm | SHA-256: 1236e112cf317073de2decff97d829a4ead1a7dc72b58432923e4a5f0a280a34 |
| servicemesh-prometheus-2.7.2-26.el8.src.rpm | SHA-256: e3da9536e02dabdbe41d690fae01e2ccce6d8ce2cdbb63b86d73b3de476b1c87 |
| servicemesh-proxy-1.0.3-1.el8.src.rpm | SHA-256: 645a960d8b701cea95c0acda988138476e5576353b9e0bd03e5d52152580f94e |
| x86_64 | |
| servicemesh-1.0.3-1.el8.x86_64.rpm | SHA-256: 911c1ec77b82bdaf57224cbf867aeaae2c13d4d3bb754db1fa7acbd2bf9c9821 |
| servicemesh-citadel-1.0.3-1.el8.x86_64.rpm | SHA-256: 20839ce0fad1eb704bb402957f02d9dac9dc9490bbc2b4dc12e2f065b9286c83 |
| servicemesh-cni-1.0.3-1.el8.x86_64.rpm | SHA-256: 1535e361a7174a1df5c9cfde47d0fc38f5ba332ba4eca5281a5033f13457e052 |
| servicemesh-galley-1.0.3-1.el8.x86_64.rpm | SHA-256: bbf91fbf935f87a9ecb0af9cfbf15bcfd4af37be34115b699b4906921cd0e29b |
| servicemesh-grafana-6.2.2-25.el8.x86_64.rpm | SHA-256: 7d6e564614d19e8f896179a33d55f1e37816a9646b321c800c38776b55e6613c |
| servicemesh-grafana-prometheus-6.2.2-25.el8.x86_64.rpm | SHA-256: dbecab86c96ffffd8fb853ff93b2e201af152f1e95f1208eeec1b9a18cf5f39d |
| servicemesh-istioctl-1.0.3-1.el8.x86_64.rpm | SHA-256: eb1c7f3ad1a69a266f2d49543342e48120619fbb07ebc17f10b4f629a0fea8d2 |
| servicemesh-mixc-1.0.3-1.el8.x86_64.rpm | SHA-256: c91245d9e5b77701a09a295a2a59437ac4a3682729ac9e37992faddba31239d9 |
| servicemesh-mixs-1.0.3-1.el8.x86_64.rpm | SHA-256: 440aa08c764248a057e250b358efe65623d3a9871100696a83bbdad99362e559 |
| servicemesh-operator-1.0.3-1.el8.x86_64.rpm | SHA-256: 76ac295d803f81ef5a7ae147854b505982d6898b2ffbd7e4d9e60c982f20521d |
| servicemesh-pilot-agent-1.0.3-1.el8.x86_64.rpm | SHA-256: 309e88b704ddc084c9c37e8f180edc657ee2a415d15620f5dccfa35dd65be269 |
| servicemesh-pilot-discovery-1.0.3-1.el8.x86_64.rpm | SHA-256: 89054e172d7b88aade670fc99303114692f18d3381fc32f03edcd84b34eaa484 |
| servicemesh-prometheus-2.7.2-26.el8.x86_64.rpm | SHA-256: e4a854b0944c7ec1d555f064db836ebdb0afc597455fd22627a7d0fd8659ee43 |
| servicemesh-proxy-1.0.3-1.el8.x86_64.rpm | SHA-256: 4aab4e0369f86f1b0e5c4f6a0ce7a56b0fc1cde58cd650bb32131d3ddf2ae8d3 |
| servicemesh-sidecar-injector-1.0.3-1.el8.x86_64.rpm | SHA-256: 68079855fd64142d2089f2d62f30dc8c57d787999be119d518dd280b06515170 |
Red Hat OpenShift Service Mesh 1.0 for RHEL 7
| SRPM | |
|---|---|
| kiali-v1.0.8.redhat1-1.el7.src.rpm | SHA-256: 4bfdcebad2f92357b01d09fe5534bdfb483b1d6f0d48066e03f92492d80a7532 |
| x86_64 | |
| kiali-v1.0.8.redhat1-1.el7.x86_64.rpm | SHA-256: d825141db2c47571d5042c0a4762c32266a0436855d21854a9090fccbb541881 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.