Issued:: 2020-06-02
Updated:: 2020-06-02

RHSA-2020:2362 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: Red Hat OpenShift Service Mesh security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for jaeger, kiali, and servicemesh-grafana is now available for OpenShift Service Mesh 1.0.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

Security Fix(es):

nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties (CVE-2019-10744)
nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)
jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenShift Service Mesh 1.0 for RHEL 8 x86_64
Red Hat OpenShift Service Mesh 1.0 for RHEL 7 x86_64

Fixes

BZ - 1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
BZ - 1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload
BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
BZ - 1829724 - CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Service Mesh 1.0 for RHEL 8

SRPM
servicemesh-grafana-6.2.2-36.el8.src.rpm	SHA-256: b695b80a84379d6de8cce2bdba961f3ade920d8a93b91cd0a7c16561478717bf
x86_64
servicemesh-grafana-6.2.2-36.el8.x86_64.rpm	SHA-256: 166b7cad335e017dcd4b70ee31916d0025049f2bbd7723a54a882c40a39b805b
servicemesh-grafana-prometheus-6.2.2-36.el8.x86_64.rpm	SHA-256: 56e45423b363c2c943b3a5163f0a051c357bc93182bfd1939c4cf05b21deefac

Red Hat OpenShift Service Mesh 1.0 for RHEL 7

SRPM
jaeger-v1.13.1.redhat7-1.el7.src.rpm	SHA-256: da7560fb4d44cae4686ad6230304146cb1449c6ef8bab71191baa26473edeecd
kiali-v1.0.11.redhat1-1.el7.src.rpm	SHA-256: d980d55f31ddc5265b955bf40123425dff30c57660c808cfff78bc4e8f72aa88
x86_64
jaeger-v1.13.1.redhat7-1.el7.x86_64.rpm	SHA-256: 8ff98da1a86a30c750aef1e2fa96e36b26f65331559a96917a2d1aac929d1ad8
kiali-v1.0.11.redhat1-1.el7.x86_64.rpm	SHA-256: cc2bac6d9314c5e12a73a1ba948bacbbd48e5e98b6402b4e42833f4d4c78af19

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation