Red Hat 9032 Published by

A Red Hat OpenShift Service Mesh 2.3.1 Containers security update has been released.



RHSA-2023:0542-01: Important: Red Hat OpenShift Service Mesh 2.3.1 Containers security update



=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat OpenShift Service Mesh 2.3.1 Containers security update
Advisory ID: RHSA-2023:0542-01
Product: RHOSSM
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:0542
Issue date: 2023-01-30
CVE Names: CVE-2016-3709 CVE-2021-4238 CVE-2021-23648
CVE-2021-46848 CVE-2022-1304 CVE-2022-1705
CVE-2022-1962 CVE-2022-2879 CVE-2022-2880
CVE-2022-3515 CVE-2022-3962 CVE-2022-21673
CVE-2022-21698 CVE-2022-21702 CVE-2022-21703
CVE-2022-21713 CVE-2022-22624 CVE-2022-22628
CVE-2022-22629 CVE-2022-22662 CVE-2022-26700
CVE-2022-26709 CVE-2022-26710 CVE-2022-26716
CVE-2022-26717 CVE-2022-26719 CVE-2022-27664
CVE-2022-28131 CVE-2022-30293 CVE-2022-30630
CVE-2022-30631 CVE-2022-30632 CVE-2022-30633
CVE-2022-30635 CVE-2022-32148 CVE-2022-32189
CVE-2022-35737 CVE-2022-37434 CVE-2022-39278
CVE-2022-41715 CVE-2022-42010 CVE-2022-42011
CVE-2022-42012 CVE-2022-42898 CVE-2022-43680
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.3.1 Containers

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

This advisory covers container images for the release.

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as
random as they should be (CVE-2021-4238)
* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879)
* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)
* Istio: Denial of service attack via a specially crafted message
(CVE-2022-39278)
* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)
* kiali: error message spoofing in kiali UI (CVE-2022-3962)
* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, see the CVE page(s)
listed in the Container CVEs section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2148199 - CVE-2022-39278 Istio: Denial of service attack via a specially crafted message
2148661 - CVE-2022-3962 kiali: error message spoofing in kiali UI
2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

5. JIRA issues fixed (  https://issues.jboss.org/):

OSSM-1977 - Support for Istio Gateway API in Kiali
OSSM-2083 - Update maistra/istio 2.3 to Istio 1.14.5
OSSM-2147 - Unexpected validation message on Gateway object
OSSM-2169 - Member controller doesn't retry on conflict
OSSM-2170 - Member namespaces aren't cleaned up when a cluster-scoped SMMR is deleted
OSSM-2179 - Wasm plugins only support OCI images with 1 layer
OSSM-2184 - Istiod isn't allowed to delete analysis distribution report configmap
OSSM-2188 - Member namespaces not cleaned up when SMCP is deleted
OSSM-2189 - If multiple SMCPs exist in a namespace, the controller reconciles them all
OSSM-2190 - The memberroll controller reconciles SMMRs with invalid name
OSSM-2232 - The member controller reconciles ServiceMeshMember with invalid name
OSSM-2241 - Remove v2.0 from Create ServiceMeshControlPlane Form
OSSM-2251 - CVE-2022-3962 openshift-istio-kiali-container: kiali: content spoofing [ossm-2.3]
OSSM-2308 - add root CA certificates to kiali container
OSSM-2315 - be able to customize openshift auth timeouts
OSSM-2324 - Gateway injection does not work when pods are created by cluster admins
OSSM-2335 - Potential hang using Traces scatterplot chart
OSSM-2338 - Federation deployment does not need router mode sni-dnat
OSSM-2344 - Restarting istiod causes Kiali to flood CRI-O with port-forward requests
OSSM-2375 - Istiod should log member namespaces on every update
OSSM-2376 - ServiceMesh federation stops working after the restart of istiod pod
OSSM-535 - Support validationMessages in SMCP
OSSM-827 - ServiceMeshMembers point to wrong SMCP name

6. References:

  https://access.redhat.com/security/cve/CVE-2016-3709
  https://access.redhat.com/security/cve/CVE-2021-4238
  https://access.redhat.com/security/cve/CVE-2021-23648
  https://access.redhat.com/security/cve/CVE-2021-46848
  https://access.redhat.com/security/cve/CVE-2022-1304
  https://access.redhat.com/security/cve/CVE-2022-1705
  https://access.redhat.com/security/cve/CVE-2022-1962
  https://access.redhat.com/security/cve/CVE-2022-2879
  https://access.redhat.com/security/cve/CVE-2022-2880
  https://access.redhat.com/security/cve/CVE-2022-3515
  https://access.redhat.com/security/cve/CVE-2022-3962
  https://access.redhat.com/security/cve/CVE-2022-21673
  https://access.redhat.com/security/cve/CVE-2022-21698
  https://access.redhat.com/security/cve/CVE-2022-21702
  https://access.redhat.com/security/cve/CVE-2022-21703
  https://access.redhat.com/security/cve/CVE-2022-21713
  https://access.redhat.com/security/cve/CVE-2022-22624
  https://access.redhat.com/security/cve/CVE-2022-22628
  https://access.redhat.com/security/cve/CVE-2022-22629
  https://access.redhat.com/security/cve/CVE-2022-22662
  https://access.redhat.com/security/cve/CVE-2022-26700
  https://access.redhat.com/security/cve/CVE-2022-26709
  https://access.redhat.com/security/cve/CVE-2022-26710
  https://access.redhat.com/security/cve/CVE-2022-26716
  https://access.redhat.com/security/cve/CVE-2022-26717
  https://access.redhat.com/security/cve/CVE-2022-26719
  https://access.redhat.com/security/cve/CVE-2022-27664
  https://access.redhat.com/security/cve/CVE-2022-28131
  https://access.redhat.com/security/cve/CVE-2022-30293
  https://access.redhat.com/security/cve/CVE-2022-30630
  https://access.redhat.com/security/cve/CVE-2022-30631
  https://access.redhat.com/security/cve/CVE-2022-30632
  https://access.redhat.com/security/cve/CVE-2022-30633
  https://access.redhat.com/security/cve/CVE-2022-30635
  https://access.redhat.com/security/cve/CVE-2022-32148
  https://access.redhat.com/security/cve/CVE-2022-32189
  https://access.redhat.com/security/cve/CVE-2022-35737
  https://access.redhat.com/security/cve/CVE-2022-37434
  https://access.redhat.com/security/cve/CVE-2022-39278
  https://access.redhat.com/security/cve/CVE-2022-41715
  https://access.redhat.com/security/cve/CVE-2022-42010
  https://access.redhat.com/security/cve/CVE-2022-42011
  https://access.redhat.com/security/cve/CVE-2022-42012
  https://access.redhat.com/security/cve/CVE-2022-42898
  https://access.redhat.com/security/cve/CVE-2022-43680
  https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.