Red Hat 9062 Published by

A Red Hat OpenShift Service Mesh 2.2.7 security update has been released.



[RHSA-2023:3645-01] Moderate: Red Hat OpenShift Service Mesh 2.2.7 security update


==================================================================== Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Service Mesh 2.2.7 security update
Advisory ID: RHSA-2023:3645-01
Product: RHOSSM
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3645
Issue date: 2023-06-15
CVE Names: CVE-2021-20329 CVE-2021-43138 CVE-2022-2880
CVE-2022-4304 CVE-2022-4450 CVE-2022-24999
CVE-2022-25858 CVE-2022-27664 CVE-2022-36227
CVE-2022-39229 CVE-2022-41715 CVE-2023-0215
CVE-2023-0286 CVE-2023-0361 CVE-2023-27535
====================================================================
1. Summary:

Red Hat OpenShift Service Mesh 2.2.7

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an OpenShift Container
Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* mongo-go-driver: specific cstrings input may not be properly validated
(CVE-2021-20329)
* async: Prototype Pollution in async (CVE-2021-43138)
* express: "qs" prototype poisoning causes the hang of the node process
(CVE-2022-24999)
* terser: insecure use of regular expressions leads to ReDoS
(CVE-2022-25858)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed ( https://bugzilla.redhat.com/):

1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated
2126276 - CVE-2021-43138 async: Prototype Pollution in async
2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS
2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process

5. JIRA issues fixed ( https://issues.redhat.com/):

OSSM-3596 - Port istio-cni fix for RHEL9 to maistra-2.2
OSSM-3720 - Port egress-gateway wrong network gateway endpoints fix in maistra-2.2
OSSM-3783 - operator can deadlock when istiod deployment fails [maistra-2.2]

6. References:

https://access.redhat.com/security/cve/CVE-2021-20329
https://access.redhat.com/security/cve/CVE-2021-43138
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-24999
https://access.redhat.com/security/cve/CVE-2022-25858
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-39229
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--