RHSA-2023:3644 - Security Advisory

Topic

Red Hat OpenShift Service Mesh Containers for 2.4.0

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

This advisory covers container images for the release.

Security Fix(es):

• golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Service Mesh 2 for RHEL 8 x86_64
• Red Hat OpenShift Service Mesh for Power 2 for RHEL 8 ppc64le
• Red Hat OpenShift Service Mesh for IBM Z 2 for RHEL 8 s390x

Fixes

• BZ - 2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
• OSSM-2254 - Fix and deprecate IOR
• OSSM-3246 - Promote ClusterWide to GA
• OSSM-331 - Service Mesh IPv6 Single Stack Support
• OSSM-3870 - OSSM must-gather improvements
• OSSM-566 - Supported integration with OpenShift Monitoring and BYO Prometheus
• OSSM-568 - Integration with (external) cert-manager
• OSSM-1094 - Htpasswd secret created in control plane namespace is using SHA1
• OSSM-1667 - Remove deprecated cipher suites
• OSSM-2128 - Exclude some accessible namespaces in Kiali CR with some labelSelector
• OSSM-2215 - istio-cni-node never updates kubeconfig causing error adding container to network \"v2-0-istio-cni\": Unauthorized
• OSSM-2221 - Gateway injection does not work in control plane namespace
• OSSM-2274 - If two SMCPs exist in a namespace and you delete one, all child resources are deleted
• OSSM-2325 - Disable prometheus in the minimal example CR
• OSSM-2339 - Deprecated istio-operator API call in CNV
• OSSM-2420 - Pod locality controller fails to update pod
• OSSM-2436 - istio-operator reports as ready before it really is
• OSSM-3288 - Implement prometheus extension provider
• OSSM-3291 - Implement envoyExtAuthzHttp extension provider
• OSSM-3419 - Align OSSM 2.4 with latest upstream Istio 1.16.5 release
• OSSM-3747 - Duplicate env vars in egress gateway deployment
• OSSM-3784 - Bad ownerReference in k8s Gateway Deployment & Service
• OSSM-3802 - GA discoverySelectors (move out of techPreview.meshConfig)
• OSSM-3803 - Move extensionProviders to SMCP.spec.meshConfig.extensionProviders
• OSSM-3873 - [KIALI] Kiali ingress.host accepted in the SMCP but is not configured properly in Kiali CR
• OSSM-3934 - Prometheus and grafana not reachable from kiali
• OSSM-3986 - Kiali does not display all the data when SMCP is deployed with Cluster Wide mode
• OSSM-4037 - kiali operator base image bump
• OSSM-4069 - Kiali route is missing with 2.2 Control Plane in 2.4 Operator on OpenShift 4.13

CVEs

• CVE-2021-4235
• CVE-2022-1705
• CVE-2022-2795
• CVE-2022-2879
• CVE-2022-2880
• CVE-2022-2995
• CVE-2022-3162
• CVE-2022-3172
• CVE-2022-3204
• CVE-2022-3259
• CVE-2022-3466
• CVE-2022-27664
• CVE-2022-30631
• CVE-2022-32148
• CVE-2022-32189
• CVE-2022-32190
• CVE-2022-36227
• CVE-2022-39229
• CVE-2022-41715
• CVE-2023-24540
• CVE-2023-27535

References

• https://access.redhat.com/security/updates/classification/#important