Red Hat Product Errata RHSA-2023:4624 - Security Advisory
Issued:
2023-08-11
Updated:
2023-08-11

RHSA-2023:4624 - Security Advisory

Synopsis

Important: Red Hat OpenShift Service Mesh Containers for 2.3.6 security update

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Service Mesh 2.3.6 Containers

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

Security Fix(es):

  • envoy: OAuth2 credentials exploit with permanent validity (CVE-2023-35941)
  • envoy: Incorrect handling of HTTP requests and responses with mixed case schemes (CVE-2023-35944)
  • envoy: HTTP/2 memory leak in nghttp2 codec (CVE-2023-35945)
  • envoy: gRPC access log crash caused by the listener draining (CVE-2023-35942)
  • envoy: CORS filter segfault when origin header is removed (CVE-2023-35943)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Service Mesh 2 for RHEL 8 x86_64
  • Red Hat OpenShift Service Mesh for Power 2 for RHEL 8 ppc64le
  • Red Hat OpenShift Service Mesh for IBM Z 2 for RHEL 8 s390x

Fixes

  • BZ - 2217977 - CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity
  • BZ - 2217978 - CVE-2023-35942 envoy: gRPC access log crash caused by the listener draining
  • BZ - 2217983 - CVE-2023-35945 envoy: HTTP/2 memory leak in nghttp2 codec
  • BZ - 2217985 - CVE-2023-35944 envoy: Incorrect handling of HTTP requests and responses with mixed case schemes
  • BZ - 2217987 - CVE-2023-35943 envoy: CORS filter segfault when origin header is removed

ppc64le

openshift-service-mesh/grafana-rhel8@sha256:8aa19f37aef2ed95793a6c6940146c8b67fbbbbad1a219775dc917358de97c61
openshift-service-mesh/istio-cni-rhel8@sha256:674726fb44c3eb46b7549964e82da3d6e8969659f72a80ff46bee2736af60eb6
openshift-service-mesh/istio-must-gather-rhel8@sha256:3fc6b5a00fbc1716e0dc7b958b232135979e17184f662d8b30aba68246380c6a
openshift-service-mesh/pilot-rhel8@sha256:572cb5d7bfcbe827371d715039aa795a234089ad84e87c874c27b4c8368fd414
openshift-service-mesh/prometheus-rhel8@sha256:dd4934b72d644f9317465b6c45b137b93123dc50447daedca9a410f11b292132
openshift-service-mesh/proxyv2-rhel8@sha256:d9c2a461fb3de8c30e1fd06924fafe03fd1d0e19ed5cf2e0cb848a1116752cf1
openshift-service-mesh/ratelimit-rhel8@sha256:16222b72f4ae305ca2128ecc7d19d568b6c7edaa32b55e9759a563b2b0ae3000

s390x

openshift-service-mesh/grafana-rhel8@sha256:0034a052544d5205b81f064361ed8f1213bed6dc868a607a14cb7f1f803c6213
openshift-service-mesh/istio-cni-rhel8@sha256:aa6b03b229bb55aade074a59199f25dd26b6d596bf65683fdfb1adfd33d6a1cc
openshift-service-mesh/istio-must-gather-rhel8@sha256:aa41a543ce10b9d932178894d74ecd3c62c09db6c729affef3d165eef797e873
openshift-service-mesh/pilot-rhel8@sha256:e1e2634d0b71ee373d1caa3db8ecd80833847894f3a182ac9a51ffb615a7ea85
openshift-service-mesh/prometheus-rhel8@sha256:787962d7a65f62af1f85e2e5d822f3db40093af32fd03ebd0e2cec248d399eb4
openshift-service-mesh/proxyv2-rhel8@sha256:e36f4a2d5c66515519aa7158a31f07c8ba376553654d2f71d6f2601106c90095
openshift-service-mesh/ratelimit-rhel8@sha256:fbc19a6d4a1cb052b7944f0b4537f1ce2716f4c81bc6b5866920f8d62be69290

x86_64

openshift-service-mesh/grafana-rhel8@sha256:731d23d6a6e226a68463beaa956065341537b0f4b2bf2fe0b14c1aff4cd1b45e
openshift-service-mesh/istio-cni-rhel8@sha256:279bc4504c13e65be3a16731dcb042b9fe10f937fffc9f0fcfd8bfd5e3d4717b
openshift-service-mesh/istio-must-gather-rhel8@sha256:5a91228a6ae101204f87d86d6152e3719de2067e0a04e19984ea379e969ae827
openshift-service-mesh/pilot-rhel8@sha256:e5d923926234b1b1d22a93addce28a2656407932af0391a4d03c739d423aa109
openshift-service-mesh/prometheus-rhel8@sha256:28eed3d9554d7424a55a9d8425acc098c56e46ce7754c32f0c6b3993a3400248
openshift-service-mesh/proxyv2-rhel8@sha256:826302993a08f1b7b9d05b17d9a7e71792d2c1adaa8002c59aa8ecbca523d86e
openshift-service-mesh/ratelimit-rhel8@sha256:93f927c7fcf4138b6c5ba976d971f50b88f8e46bc819017763014748394bd786

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.