- Issued:
- 2023-08-11
- Updated:
- 2023-08-11
RHSA-2023:4623 - Security Advisory
Synopsis
Important: Red Hat OpenShift Service Mesh 2.2.9 security update
Type/Severity
Security Advisory: Important
Topic
Red Hat OpenShift Service Mesh 2.2.9
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.
Security Fix(es):
- envoy: Client may fake the header `x-envoy-original-path` (CVE-2023-27487)
- envoy: envoy doesn't escape HTTP header values (CVE-2023-27493)
- envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received (CVE-2023-27488)
- envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream (CVE-2023-27491)
- envoy: Crash when a large request body is processed in Lua filter (CVE-2023-27492)
- envoy: Crash when a redirect url without a state param is received in the oauth filter (CVE-2023-27496)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat OpenShift Service Mesh 2 for RHEL 8 x86_64
- Red Hat OpenShift Service Mesh for Power 2 for RHEL 8 ppc64le
- Red Hat OpenShift Service Mesh for IBM Z 2 for RHEL 8 s390x
Fixes
- BZ - 2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`
- BZ - 2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream
- BZ - 2179139 - CVE-2023-27492 envoy: Crash when a large request body is processed in Lua filter
- BZ - 2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter
- BZ - 2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received
- BZ - 2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values
ppc64le
openshift-service-mesh/grafana-rhel8@sha256:c0c950e26be89b52508a2bf8fdf7df8efd18e58bba2c7ad35940c41cda4176fd |
openshift-service-mesh/istio-cni-rhel8@sha256:a0fffc8c8255ebe52475124f72048d54109a92c7f9e1f4256d17c35204b846d9 |
openshift-service-mesh/istio-must-gather-rhel8@sha256:559ed9613b1ee4717890325c1fd05961756a45a9acd08e8036d2db6780b5dd8d |
openshift-service-mesh/pilot-rhel8@sha256:51313956891391c4b756365ec2078c13ec9b72d6097d2907361808d478a6fb4c |
openshift-service-mesh/prometheus-rhel8@sha256:5b872c6fe3c03528b9ca4bc9c56d5346b695c923f82f477b4574f604fa8f3673 |
openshift-service-mesh/proxyv2-rhel8@sha256:29246b072bb2829c8e86b41e7ecdf8e3845d64b9f87247cf81a6088a3d040d3c |
openshift-service-mesh/ratelimit-rhel8@sha256:2deec3e58640d06553b6fa82efe9e3939d3ae76f99020a9e4840a4a0cc65c091 |
s390x
openshift-service-mesh/grafana-rhel8@sha256:492ab85f14b73f01e03521d6b3aab76a673d31c0032d4a63ae30aed0e1cf1ed8 |
openshift-service-mesh/istio-cni-rhel8@sha256:72792895a400d9e28f4e12737fc5eadd2d20943026c4c536cbd6508fc823f6a7 |
openshift-service-mesh/istio-must-gather-rhel8@sha256:0290aac66c0f89c9faf6c29fee940f8ec3f3c9a0e126307837f9b1cd37efe8c0 |
openshift-service-mesh/pilot-rhel8@sha256:1fac42f4073e9a296a0c16012c41a61f5a6ee0df8500515fbd33a694d29503e2 |
openshift-service-mesh/prometheus-rhel8@sha256:5da99f12e7e9ac6562f5480138366a11ed56e81af5bf2956b767357b3fd73e9f |
openshift-service-mesh/proxyv2-rhel8@sha256:60036f920ef18e80ed97dadb25e4d6ae2e63f74e04c51e18badf22aae25a7f50 |
openshift-service-mesh/ratelimit-rhel8@sha256:58965678412910c9af83afe9f44efd37d8c99927def07fd429baa25b00919b61 |
x86_64
openshift-service-mesh/grafana-rhel8@sha256:1894163c4006a3c8e18cff16f1f8eaea524ab70baa657b4e5f248c6a5ba91353 |
openshift-service-mesh/istio-cni-rhel8@sha256:9820a5e2d80f2c9c69f4d829b63c78bcbfa75ab7b42d7722e13e76db9bd1ecda |
openshift-service-mesh/istio-must-gather-rhel8@sha256:41bc79c9b2c3af157198b3ba094eea971d8b1f29707ccd40ae4b95e8ecd7774f |
openshift-service-mesh/pilot-rhel8@sha256:357d027eb44c202d715f53a04246462ce3501646481577164b3735641d707e28 |
openshift-service-mesh/prometheus-rhel8@sha256:efbb8d27ec4cbd31194f00e47e4c8882651d41ea18eb544d6fae016a2395f8ea |
openshift-service-mesh/proxyv2-rhel8@sha256:d8a8d11de42f5105b47b89bf715945825fa496d05aa1fcbcbd230bad2d31d59f |
openshift-service-mesh/ratelimit-rhel8@sha256:66e212367c731d5e7d270778580658e86225a628dcc610a827517c8f18db352a |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.