RHSA-2022:1275: Important: Red Hat OpenShift Service Mesh 2.1.2 security update
First published: Thu Apr 07 2022(Updated: )
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service<br>mesh project, tailored for installation into an on-premise OpenShift Container<br>Platform installation.<br>This advisory covers the RPM packages for the release.<br>Security Fix(es):<br><li> envoy: Incorrect configuration handling allows mTLS session re-use without re-validation (CVE-2022-21654)</li> <li> envoy: Incorrect handling of internal redirects to routes with a direct response entry (CVE-2022-21655)</li> <li> istio: Unauthenticated control plane denial of service attack due to stack exhaustion (CVE-2022-24726)</li> <li> envoy: Null pointer dereference when using JWT filter safe_regex match (CVE-2021-43824)</li> <li> envoy: Use-after-free when response filters increase response data (CVE-2021-43825)</li> <li> envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826)</li> <li> envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service (CVE-2022-23606)</li> <li> istio: unauthenticated control plane denial of service attack (CVE-2022-23635)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/servicemesh | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-operator | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-prometheus | <2.23.0-5.el8 | 2.23.0-5.el8 |
| redhat/servicemesh-proxy | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-ratelimit | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-cni | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-operator | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-pilot-agent | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-pilot-discovery | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-prometheus | <2.23.0-5.el8 | 2.23.0-5.el8 |
| redhat/servicemesh-proxy | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-proxy-debuginfo | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-proxy-debugsource | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-proxy-wasm | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-ratelimit | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-cni | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-operator | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-pilot-agent | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-pilot-discovery | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-prometheus | <2.23.0-5.el8 | 2.23.0-5.el8 |
| redhat/servicemesh-proxy | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-proxy-debuginfo | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-proxy-debugsource | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-ratelimit | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-cni | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-pilot-agent | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-pilot-discovery | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-proxy-debuginfo | <2.1.2-4.el8 | 2.1.2-4.el8 |
| redhat/servicemesh-proxy-debugsource | <2.1.2-4.el8 | 2.1.2-4.el8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=2050744
- https://bugzilla.redhat.com/show_bug.cgi?id=2050746
- https://bugzilla.redhat.com/show_bug.cgi?id=2050748
- https://bugzilla.redhat.com/show_bug.cgi?id=2050753
- https://bugzilla.redhat.com/show_bug.cgi?id=2050757
- https://bugzilla.redhat.com/show_bug.cgi?id=2050758
- https://bugzilla.redhat.com/show_bug.cgi?id=2057277
- https://bugzilla.redhat.com/show_bug.cgi?id=2061638
- https://issues.redhat.com/browse/OSSM-1074
- https://issues.redhat.com/browse/OSSM-1234
- https://issues.redhat.com/browse/OSSM-303
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2022:1275 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2022:1275?
RHSA-2022:1275 has a severity rating that requires attention due to identified security vulnerabilities.
How do I fix RHSA-2022:1275?
To fix RHSA-2022:1275, you need to update the affected packages to versions 2.1.2-4.el8 or 2.23.0-5.el8 as specified in the advisory.
Which packages are affected by RHSA-2022:1275?
The affected packages include servicemesh, servicemesh-operator, servicemesh-prometheus, servicemesh-proxy, and servicemesh-ratelimit.
What vulnerabilities does RHSA-2022:1275 address?
RHSA-2022:1275 addresses multiple vulnerabilities related to the Envoy proxy used within Red Hat OpenShift Service Mesh.
Is there a workaround for RHSA-2022:1275?
There are no specific workarounds provided for RHSA-2022:1275; applying the updates is the recommended action.
- agent/severity
- agent/weakness
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2022:1275
- agent/software-canonical-lookup
- agent/remedy
- agent/title
- agent/references
- agent/description
- agent/event
- agent/trending
- agent/tags
- agent/source
- package-manager/redhat