Red Hat Product Errata RHSA-2023:5174 - Security Advisory
Issued:
2023-09-14
Updated:
2023-09-14

RHSA-2023:5174 - Security Advisory

Synopsis

Moderate: Red Hat OpenShift Service Mesh Containers for 2.4.3 security update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat OpenShift Service Mesh Containers for 2.4.3

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

This advisory covers container images for the release.

Security Fix(es):

  • envoy: gRPC access log crash caused by the listener draining (CVE-2023-35942)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Service Mesh 2 for RHEL 8 x86_64
  • Red Hat OpenShift Service Mesh for Power 2 for RHEL 8 ppc64le
  • Red Hat OpenShift Service Mesh for IBM Z 2 for RHEL 8 s390x
  • Red Hat OpenShift Service Mesh for ARM 64 2 aarch64

Fixes

  • BZ - 2217978 - CVE-2023-35942 envoy: gRPC access log crash caused by the listener draining
  • OSSM-1182 - Deliver ARM images for OSSM Operator for Developer Preview
  • OSSM-3508 - Ensure Cluster Ingress Operator can create cluster-wide SMCP
  • OSSM-3979 - Implement envoyExtAuthzGrpc extension provider
  • OSSM-4247 - Service details of ServiceEntry fails
  • OSSM-4461 - Add FIPS annotation setting to kiali operator metadata
  • OSSM-4559 - Panic in conversion of extensionProviders.envoyExtAuthzHttp
  • OSSM-4627 - Add option to disable the GatewayClass controller
  • OSSM-4705 - Removing subset in config - Fails to save
  • OSSM-4491 - Add missing configuration options to meshConfig.extensionProviders.envoyExtAuthzHttp

aarch64

openshift-service-mesh/grafana-rhel8@sha256:6bc7fe98083324fb541ad4b02866ffee094721fc51ea0410041902ca1d8fc010
openshift-service-mesh/istio-cni-rhel8@sha256:b033af42b9c4b0c688f7af4fa98d57e2f66f973ab8627c08527eae8f9c58f892
openshift-service-mesh/istio-must-gather-rhel8@sha256:1a7d34f4ae3c3629c1840491379145fa0553f53c4d1dcdcbaceaf3c536d815b6
openshift-service-mesh/istio-rhel8-operator@sha256:72b732762519ad5ec504166b58a15dc5974f6250fc565f16dce98e3c9dfa0f3a
openshift-service-mesh/kiali-rhel8@sha256:93e94afa56baa1c81b81d935e62fd0c568d65a3ed5130e1d8ddf265d93c906d7
openshift-service-mesh/kiali-rhel8-operator@sha256:b01d3ef882f26764a5cfd2375bbe3e42778ca80158264e4e45297ebe0adedeb7
openshift-service-mesh/pilot-rhel8@sha256:0b5dbe4ac53ef0a926d2f8438fdd64e148585974a9d436e78cdb7615211e8a0c
openshift-service-mesh/proxyv2-rhel8@sha256:356a674c259edaa6c8699e1459c168cb97d2b400b633993818abed80f78cb455
openshift-service-mesh/ratelimit-rhel8@sha256:3a75674bd2adf66e1aae0461c0c89681b453dc6b5fa4496f090252cee2300136

ppc64le

openshift-service-mesh/grafana-rhel8@sha256:6def5c25ebf96a413a8b39a1f89525c9285c47015c33937c05f17da4751d7053
openshift-service-mesh/istio-cni-rhel8@sha256:c20e558ab91554c579178f9088f7a691acb557b2fc7528cf8e0768852c57e5b4
openshift-service-mesh/istio-must-gather-rhel8@sha256:3b89915f208b61fdc8630e3ad54050a60576b40331eac8d88fe432aa5f667021
openshift-service-mesh/istio-rhel8-operator@sha256:77c14339c06bf33f56cb7a33a1812186b3c025c6234d8574f8eafb0b9dee7072
openshift-service-mesh/kiali-rhel8@sha256:d15b49cef4c2b96beec787e6a122cbbf567280cc37c30c6953f19a9e962b52c9
openshift-service-mesh/kiali-rhel8-operator@sha256:fa63641d22e2701dd06a96e09479e8d313df8d479bc1bbdbd230851eed47717a
openshift-service-mesh/pilot-rhel8@sha256:4c2e2efc201a2cdc167071e6001c52404ae15ced1b777cb1462c79c6b1cda0bd
openshift-service-mesh/proxyv2-rhel8@sha256:c13a1e17ed0549f7ce739f789821ff793a61e2d23b697fb4a956dd08102be9bd
openshift-service-mesh/ratelimit-rhel8@sha256:12a1e1ef1210f3cd50f0c82a0ce02101c188edde8e713d0dde88ea6f1396b479

s390x

openshift-service-mesh/grafana-rhel8@sha256:1d0373ca090a91b1a26add051c668b4db7986db066ba36f792b94731d9d63a22
openshift-service-mesh/istio-cni-rhel8@sha256:15400b87ddb1e5c33554278802d57b8422aa88de29a3c64aa9b4452d450a87a6
openshift-service-mesh/istio-must-gather-rhel8@sha256:c9291488f6c8d374af2bd4b144ded86507e0c89c0f41be47206d9565f670db12
openshift-service-mesh/istio-rhel8-operator@sha256:fed31e6b657f93e080acc90fd05c5bcaf79170eecfd0fd35a7396a6d679866f6
openshift-service-mesh/kiali-rhel8@sha256:956e949073b90ed152c8041380bd3c9fdc3865c593f25fb063cf7afa763e51d8
openshift-service-mesh/kiali-rhel8-operator@sha256:047d78c2e420a442611554fd22684bd1138c2599817741323773e314c43008dc
openshift-service-mesh/pilot-rhel8@sha256:88e4a906a7337289043e01fc6fcbc68de65fabf2ccbe10aa166fda3488847c4d
openshift-service-mesh/proxyv2-rhel8@sha256:45c30dca9e3f5687a3f333d29daacc8548f3f733981bc17f58c1411d844991ec
openshift-service-mesh/ratelimit-rhel8@sha256:ce5904e6563fef477ed2d7fd8fb5d98843ed3304d5bfb0a898ca1e8553aa7516

x86_64

openshift-service-mesh/grafana-rhel8@sha256:f039122ba1713d257d600c686fc1ab0989eeb8cdff81a3f0cb4b3c07c9f68864
openshift-service-mesh/istio-cni-rhel8@sha256:2fa3223cd2ce127dcf1f2f374647671e88b0648420e03f68c2bc93103020e50b
openshift-service-mesh/istio-must-gather-rhel8@sha256:e14e1b3d5cf1dec91ee2621c2e1b80401c30d349434bd26fb8a276cc0224942e
openshift-service-mesh/istio-rhel8-operator@sha256:036cf16e38c98408aa8de30da0dbc159902a9e12c5a7463707436e2fd94e6215
openshift-service-mesh/kiali-rhel8@sha256:a9d8d6b1475eb8ab1aa61d7a76ec05ddccf3f6e0e511d22a3fba308eaf5a7504
openshift-service-mesh/kiali-rhel8-operator@sha256:6c4fbfe75338e0715d02ba69388ad8c492807962222ff0e8d9ca9ebb9b7fc214
openshift-service-mesh/pilot-rhel8@sha256:b75907822356c05807fa0939775c74b428cf995b03f04bb298b143ddcadffc28
openshift-service-mesh/proxyv2-rhel8@sha256:be864a665faeb9f907667061792a91ba196ca38bbc634e225a04ad1da0e243c5
openshift-service-mesh/ratelimit-rhel8@sha256:495eb5b0225e22d9ce2c8b71584513b0c1323ec208d2022735aac6d6397a68ad

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.