Red Hat Product Errata RHSA-2023:4623 - Security Advisory
Issued:
2023-08-11
Updated:
2023-08-11

RHSA-2023:4623 - Security Advisory

Synopsis

Important: Red Hat OpenShift Service Mesh 2.2.9 security update

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Service Mesh 2.2.9

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.

Security Fix(es):

  • envoy: Client may fake the header `x-envoy-original-path` (CVE-2023-27487)
  • envoy: envoy doesn't escape HTTP header values (CVE-2023-27493)
  • envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received (CVE-2023-27488)
  • envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream (CVE-2023-27491)
  • envoy: Crash when a large request body is processed in Lua filter (CVE-2023-27492)
  • envoy: Crash when a redirect url without a state param is received in the oauth filter (CVE-2023-27496)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Service Mesh 2 for RHEL 8 x86_64
  • Red Hat OpenShift Service Mesh for Power 2 for RHEL 8 ppc64le
  • Red Hat OpenShift Service Mesh for IBM Z 2 for RHEL 8 s390x

Fixes

  • BZ - 2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`
  • BZ - 2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream
  • BZ - 2179139 - CVE-2023-27492 envoy: Crash when a large request body is processed in Lua filter
  • BZ - 2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter
  • BZ - 2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received
  • BZ - 2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values

ppc64le

openshift-service-mesh/grafana-rhel8@sha256:c0c950e26be89b52508a2bf8fdf7df8efd18e58bba2c7ad35940c41cda4176fd
openshift-service-mesh/istio-cni-rhel8@sha256:a0fffc8c8255ebe52475124f72048d54109a92c7f9e1f4256d17c35204b846d9
openshift-service-mesh/istio-must-gather-rhel8@sha256:559ed9613b1ee4717890325c1fd05961756a45a9acd08e8036d2db6780b5dd8d
openshift-service-mesh/pilot-rhel8@sha256:51313956891391c4b756365ec2078c13ec9b72d6097d2907361808d478a6fb4c
openshift-service-mesh/prometheus-rhel8@sha256:5b872c6fe3c03528b9ca4bc9c56d5346b695c923f82f477b4574f604fa8f3673
openshift-service-mesh/proxyv2-rhel8@sha256:29246b072bb2829c8e86b41e7ecdf8e3845d64b9f87247cf81a6088a3d040d3c
openshift-service-mesh/ratelimit-rhel8@sha256:2deec3e58640d06553b6fa82efe9e3939d3ae76f99020a9e4840a4a0cc65c091

s390x

openshift-service-mesh/grafana-rhel8@sha256:492ab85f14b73f01e03521d6b3aab76a673d31c0032d4a63ae30aed0e1cf1ed8
openshift-service-mesh/istio-cni-rhel8@sha256:72792895a400d9e28f4e12737fc5eadd2d20943026c4c536cbd6508fc823f6a7
openshift-service-mesh/istio-must-gather-rhel8@sha256:0290aac66c0f89c9faf6c29fee940f8ec3f3c9a0e126307837f9b1cd37efe8c0
openshift-service-mesh/pilot-rhel8@sha256:1fac42f4073e9a296a0c16012c41a61f5a6ee0df8500515fbd33a694d29503e2
openshift-service-mesh/prometheus-rhel8@sha256:5da99f12e7e9ac6562f5480138366a11ed56e81af5bf2956b767357b3fd73e9f
openshift-service-mesh/proxyv2-rhel8@sha256:60036f920ef18e80ed97dadb25e4d6ae2e63f74e04c51e18badf22aae25a7f50
openshift-service-mesh/ratelimit-rhel8@sha256:58965678412910c9af83afe9f44efd37d8c99927def07fd429baa25b00919b61

x86_64

openshift-service-mesh/grafana-rhel8@sha256:1894163c4006a3c8e18cff16f1f8eaea524ab70baa657b4e5f248c6a5ba91353
openshift-service-mesh/istio-cni-rhel8@sha256:9820a5e2d80f2c9c69f4d829b63c78bcbfa75ab7b42d7722e13e76db9bd1ecda
openshift-service-mesh/istio-must-gather-rhel8@sha256:41bc79c9b2c3af157198b3ba094eea971d8b1f29707ccd40ae4b95e8ecd7774f
openshift-service-mesh/pilot-rhel8@sha256:357d027eb44c202d715f53a04246462ce3501646481577164b3735641d707e28
openshift-service-mesh/prometheus-rhel8@sha256:efbb8d27ec4cbd31194f00e47e4c8882651d41ea18eb544d6fae016a2395f8ea
openshift-service-mesh/proxyv2-rhel8@sha256:d8a8d11de42f5105b47b89bf715945825fa496d05aa1fcbcbd230bad2d31d59f
openshift-service-mesh/ratelimit-rhel8@sha256:66e212367c731d5e7d270778580658e86225a628dcc610a827517c8f18db352a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.