Red Hat Product Errata RHSA-2025:1053 - Security Advisory
Issued:
2025-02-05
Updated:
2025-02-05

RHSA-2025:1053 - Security Advisory

Synopsis

Important: Red Hat OpenShift Service Mesh Containers for 2.6.5

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Service Mesh Containers for 2.6.5

This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.

Security Fix(es):

  • openshift-istio-proxyv2-rhel9-container: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338)
  • openshift-istio-proxyv2-rhel9-container: HTTP/1: sending overload crashes when the request is reset beforehand in envoy (CVE-2024-53270)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Service Mesh 2 for RHEL 8 x86_64
  • Red Hat OpenShift Service Mesh for Power 2 for RHEL 8 ppc64le
  • Red Hat OpenShift Service Mesh for IBM Z 2 for RHEL 8 s390x
  • Red Hat OpenShift Service Mesh for ARM 64 2 aarch64

Fixes

  • BZ - 2333091 - CVE-2024-53270 envoy: HTTP/1: sending overload crashes when the request is reset beforehand in envoy
  • BZ - 2333122 - CVE-2024-45338 golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html
  • OSSM-8608 - CNI installation leaves temporary files when the istio cni container is killed during copy binaries

aarch64

openshift-service-mesh/grafana-rhel8@sha256:2bffc415df35731fc8bf5e34f219af3361f04ade837a0550df518abf695ee46c
openshift-service-mesh/istio-cni-rhel8@sha256:99fda7d1da8ef52c571d9910cc721a3f02e3a116d3aaf6a81688c0f5540f82aa
openshift-service-mesh/istio-must-gather-rhel8@sha256:11e46e4f45b8ad08c456bdc62ffc03f5f165767ff6b1f99a3afed1568963e537
openshift-service-mesh/istio-rhel8-operator@sha256:1d4393b6f23aed8fa602ba5a7a84aac74b7f479329f421c437164d4d27140e0a
openshift-service-mesh/kiali-rhel8-operator@sha256:743e781d7bd11e87ea366cc163b043e63af3156ae952d4e6299122ac40aa9044
openshift-service-mesh/pilot-rhel8@sha256:3662eb6f48d73e10cf0ee60b1f9d04239ef1d3a34790f61b6ebce8c3df48c647
openshift-service-mesh/proxyv2-rhel9@sha256:0a683b2ba99f9ae04d00adc10ca10838a7419cc59680973b269dfb0460adb9e4
openshift-service-mesh/ratelimit-rhel8@sha256:c474ed1c8d85da0a4c34323952adae97de1a7013a70c88d537a85330d12f0f14

ppc64le

openshift-service-mesh/grafana-rhel8@sha256:4c75fe4eabbf82411c0740987cec2367ce084dda94ce28ba1d7ade3319aa5f8e
openshift-service-mesh/istio-cni-rhel8@sha256:f74c3fa5d45e3feb5564ac7398db5b890dfd66c4a53dda89365f801bab0dc321
openshift-service-mesh/istio-must-gather-rhel8@sha256:b3cd238cbf0f4bfbcd16bbda3db4bd08ce07c3138134a756274e82cea5f6f2ed
openshift-service-mesh/istio-rhel8-operator@sha256:17d7ce53ba602d5b57736d053d6addb9b8482ddf67ca9a8311939da4e8e572d7
openshift-service-mesh/kiali-rhel8-operator@sha256:45a73246c86ff695296ebf00995972fbbc2a6bf9b6280458282dbbf6de03217f
openshift-service-mesh/pilot-rhel8@sha256:e68637f9c9b6dbd757fcc4ed66a95c46db7e41e05f985d298fbd11ece4ba0faf
openshift-service-mesh/proxyv2-rhel9@sha256:1f964be7b9b9471ab45d556098d6e7286eb4aa66e0702ab0a0b9b6c5a07bc479
openshift-service-mesh/ratelimit-rhel8@sha256:ce883b511662d315086b71975d98c6caa9132ccae742340a3a0250ba427df6c0

s390x

openshift-service-mesh/grafana-rhel8@sha256:7aea9c6b666f46e667c707fe9a66eed6c00fae5c65e43e53c945ce2da851a5d4
openshift-service-mesh/istio-cni-rhel8@sha256:27143727b7647d7f4619b3e84f878661e3ec26bc950b2e9aaf4ec879703296f6
openshift-service-mesh/istio-must-gather-rhel8@sha256:9f17587bd624e2c4626868dba1684788a871432e79672ce6ac4c767e9daf467c
openshift-service-mesh/istio-rhel8-operator@sha256:8b5e77faa4e1ab8ce301e17542c83b9dfcc1a66d3017950cd8077a4f8b2dfd52
openshift-service-mesh/kiali-rhel8-operator@sha256:3d9688136c8717bbabc864cb76f32ad1157c124a8697de5de0e46fb108e2df69
openshift-service-mesh/pilot-rhel8@sha256:a73dac520994a16210c9ee453d94d866f891fdcad2e1aae65711001b2c4c1792
openshift-service-mesh/proxyv2-rhel9@sha256:09872d4af948c4c42d8bc659d9d16ad76217b92afbfabe8954772b82532328e7
openshift-service-mesh/ratelimit-rhel8@sha256:41eafde00a00e93dabfcd06233bbd98f3d356a847d340c15787be589c36fa626

x86_64

openshift-service-mesh/grafana-rhel8@sha256:38d3a3a54dba67b98bf1014d4c7f931f14ab6eb0d1bccbbb6024fca83213677a
openshift-service-mesh/istio-cni-rhel8@sha256:ccb928a71eb1d818ac9fde5dd320ef27eedb4d456e8f0feb544f54a5b8c6c446
openshift-service-mesh/istio-must-gather-rhel8@sha256:9b1d5bcb7b84f327a7a97a7d2274ae6e092e6851c43981de573e499a7e6ed4f8
openshift-service-mesh/istio-rhel8-operator@sha256:9901c1664f58699e647886558827ef5ab55435612ea1ddc3705f179a79b71dc8
openshift-service-mesh/kiali-rhel8-operator@sha256:ec6b91b982f44f02e0d648349ee9e3c754890b8c6b40aaf9ebfc08f473c6b142
openshift-service-mesh/pilot-rhel8@sha256:11ca93a83d46cac87819c0954275ff70fb2c0e6c7e405d318260d86811e976c9
openshift-service-mesh/proxyv2-rhel9@sha256:69f9f8cb19f4ef7d531b32e6cd824af3198aad5e01364e045676edd27147f83e
openshift-service-mesh/ratelimit-rhel8@sha256:24229a95c3bf9ee95d6ebe9f030e199dfbace10f62092f8c68211801783e3cf1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.