Red Hat Product Errata RHSA-2024:5094 - Security Advisory
Issued:
2024-08-07
Updated:
2024-08-07

RHSA-2024:5094 - Security Advisory

Synopsis

Moderate: Red Hat OpenShift Service Mesh Containers for 2.6.0 security update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat OpenShift Service Mesh Containers for 2.6.0

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.

Security Fix(es):

  • quic-go: memory exhaustion attack against QUIC's connection ID mechanism(CVE-2024-22189)
  • moby: cert signing bypass(CVE-2018-12608)
  • golang: archive/zip: Incorrect handling of certain ZIP files(CVE-2024-24789)
  • jose: resource exhaustion(CVE-2024-28176)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Service Mesh 2 for RHEL 8 x86_64
  • Red Hat OpenShift Service Mesh for Power 2 for RHEL 8 ppc64le
  • Red Hat OpenShift Service Mesh for IBM Z 2 for RHEL 8 s390x
  • Red Hat OpenShift Service Mesh for ARM 64 2 aarch64

Fixes

  • BZ - 2268820 - CVE-2024-28176 jose: resource exhaustion
  • BZ - 2273513 - CVE-2024-22189 quic-go: memory exhaustion attack against QUIC's connection ID mechanism
  • BZ - 2275812 - CVE-2018-12608 moby: cert signing bypass
  • BZ - 2292668 - CVE-2024-24789 golang: archive/zip: Incorrect handling of certain ZIP files
  • OSSM-2101 - Delete istio-cni-node DaemonSet when last SMCP is deleted
  • OSSM-5687 - Rebase maistra/istio to upstream 1.20
  • OSSM-5854 - Istio Gateway API GA
  • OSSM-6009 - Request for fetch traces is timeouted after 30s even though I set a higher timeout in external_services.tracing.query_timeout
  • OSSM-6296 - Make OTEL + Tempo default tracing integration for service mesh
  • OSSM-6336 - Resolve the istio-cni conflict
  • OSSM-6391 - 2.6 Disable the OSSM operator's Jaeger and ES installation by default
  • OSSM-6682 - Istiod error on startup
  • OSSM-6693 - Enable Gateway API by default in cluster-wide mode
  • OSSM-6699 - Fix failures of IPv6 cluster installation
  • OSSM-6700 - Bad URL in rest_client_request_latency_seconds metrics
  • OSSM-6703 - Remove metrics port 8686 because it always serves empty metrics
  • OSSM-6762 - Move webhook management from the operator to OLM
  • OSSM-6769 - CNI config is initialized twice
  • OSSM-6774 - Ensure that metrics don't require a separate kube & discovery client
  • OSSM-6777 - Update certmanageroperator to get version dynamicly
  • OSSM-6781 - General error message 'tls: handshake failure' when revoked certificate is used

aarch64

openshift-service-mesh/grafana-rhel8@sha256:a312eee18c620e4b7c19258d2619b732a4fdf48320a04d8e216a018b99e046d7
openshift-service-mesh/istio-cni-rhel8@sha256:49542fec00ff65d1d4d27849c67468fb5d0b1314f7a9010d67c0dbbf55c1306b
openshift-service-mesh/istio-must-gather-rhel8@sha256:6327e0c83d4f21f33053bdc92a8091cfd7a53f272f57f3fa8e045611229f98ba
openshift-service-mesh/istio-rhel8-operator@sha256:c0341aec6013018cc7f97d4a9ac1ea4537a7fee8dbe473958ceab0f67e8bc502
openshift-service-mesh/kiali-ossmc-rhel8@sha256:392e140789a39e10526de2cae19316759ff36c954c7b0e8d88fac91556be3bf0
openshift-service-mesh/kiali-rhel8@sha256:c0bb751d102763412fc936fb3b69a45e477bc2c0aa71b5f6fa5c0f69a94d8767
openshift-service-mesh/kiali-rhel8-operator@sha256:5f070c96656b4e01a691caa916dcf81fb34c153d192d26acec7c08cc7f9d6fda
openshift-service-mesh/pilot-rhel8@sha256:df0b0c0364bbe30220bd92c24ba41c54d4b871503e6b4ccdc8b7991031830637
openshift-service-mesh/proxyv2-rhel9@sha256:823118b612b0bfc3c10d1ad07d65236a8e21d703e64a09c5bdc9377fc0e7cf47
openshift-service-mesh/ratelimit-rhel8@sha256:911f2c0b5159f6c13c6f4dc958ac66e987cab2b091f55e75b998d95cc1ae3e72

ppc64le

openshift-service-mesh/grafana-rhel8@sha256:677746a7132573b2b40658fad4801cbe3d0381079f2d6cd7ee508318d75e6ad0
openshift-service-mesh/istio-cni-rhel8@sha256:7d8a4815dee1f4e109876d47184b669e81dc22421b602f2beef48588f414743e
openshift-service-mesh/istio-must-gather-rhel8@sha256:0172d2aefc611c66c1ceac5acbe771b0109944024ccaa1534a992c154cc70186
openshift-service-mesh/istio-rhel8-operator@sha256:28a794322e00582e5d74c3a7e0934735652d09ae83ac59f925434a8e2f32ca81
openshift-service-mesh/kiali-ossmc-rhel8@sha256:86b5406c483065ae2085721e6069f36767d6dc512d8f885ac02660955fb5fbed
openshift-service-mesh/kiali-rhel8@sha256:4f581fd9388ba9256a34b85296a8f3728826804bd9f59fe0f8832d91c3ecc8ae
openshift-service-mesh/kiali-rhel8-operator@sha256:09d04d86a4e646d6e45e57893d383432fa966ac536e460ff6fdd375c939d96ca
openshift-service-mesh/pilot-rhel8@sha256:6c6842b5ba5d85e3d9990ae73754499863ed648c9b7efa9c75ab7936093d6c06
openshift-service-mesh/proxyv2-rhel9@sha256:8355c8f725d3713be992545bc8396582be6d792bec620b95bc5cd5475436a903
openshift-service-mesh/ratelimit-rhel8@sha256:0ab18d9cc3d927e162c25e895bb5d55a970b5906f83c95f0759b659a2a2d45c2

s390x

openshift-service-mesh/grafana-rhel8@sha256:4f73fc9525b461cb31c7f76a776b3ba6d586de87e763f3dace8edea1031d2dd8
openshift-service-mesh/istio-cni-rhel8@sha256:407b37dd42635c1d11de7cca69e620c140416a401c1a608d5e8f06a18ff51374
openshift-service-mesh/istio-must-gather-rhel8@sha256:dbbcfdcdd4b7dca0363140675ccbf5a7e17cf6671e9c7d0858309eaa9e3e35bb
openshift-service-mesh/istio-rhel8-operator@sha256:abf18be2515f0e0bdf54c29e96c517043e23a248b84b72a7c77fb6627535435a
openshift-service-mesh/kiali-ossmc-rhel8@sha256:084b7af79fce2ccd8e9291054e727cd536b2e8d0392d6fae41070acc640dda7d
openshift-service-mesh/kiali-rhel8@sha256:4d0c6c49b2c660d5ed04273cfcd5e01444c7c479432c374ecbcb4b99334b2ac9
openshift-service-mesh/kiali-rhel8-operator@sha256:cdf3a7e2f5e76c59d9b3228daeabce86478693f7311ff44db0b0bbe41d9cc310
openshift-service-mesh/pilot-rhel8@sha256:099a9a6e6ecc221ce47fe8da358fb90caf1de22cc90353adbd2f4073e3a8c962
openshift-service-mesh/proxyv2-rhel9@sha256:7672a4b3475e71674897eb4c2d47c84bd7151ff71716d19dd29d8e140bc7b2ec
openshift-service-mesh/ratelimit-rhel8@sha256:f4d5e0ab476f92e9985e86c0a6200f82e60972df12976c2ca64ff596c8e84bd0

x86_64

openshift-service-mesh/grafana-rhel8@sha256:fcbba8962e1f5fa864c073f86467468d732a6edc9fc78cbeb6050a35beced88e
openshift-service-mesh/istio-cni-rhel8@sha256:81b661df0703a3d7cddfce3be55b12aa297164177990b263f4b584bf9de948c7
openshift-service-mesh/istio-must-gather-rhel8@sha256:293ef0eb34e035a972f5a45b87970cecc7942c6bee6da68c4d1f3ba2bd1e92d4
openshift-service-mesh/istio-rhel8-operator@sha256:7bbef82965d81bd768d915a1bcc220c7fb21c321e2ffb861eb628c81eeb8e000
openshift-service-mesh/kiali-ossmc-rhel8@sha256:b55b09211c8e5857060baca392be5534a3707d0a876ceb76939908b271163cc0
openshift-service-mesh/kiali-rhel8@sha256:4e512e8195d93a887d411bf23da9602cdbfb46a0aa9b15292f500cf2eda284e6
openshift-service-mesh/kiali-rhel8-operator@sha256:7dd97c5e5b1c3502c52352decbe48b0f0998e59604da618dbb2689f8a9a86cf1
openshift-service-mesh/pilot-rhel8@sha256:221bf107c93e183a093dc13a41d2e2d907e97c1a74242bf7bfefae2c1436f02c
openshift-service-mesh/proxyv2-rhel9@sha256:f280ea9888acab2a2aee6fece6a99257b6b0a2093a042b958382684d1f590334
openshift-service-mesh/ratelimit-rhel8@sha256:563b8f4b130657936b077139d86d648e6c65d68cf51bbcf09f3f2790db23cfd8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.