Home / mailings [RHSA-2023:0542-01] Important: Red Hat OpenShift Service Mesh 2.3.1 Containers security update
Posted on 30 January 2023
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift Service Mesh 2.3.1 Containers security update
Advisory ID: RHSA-2023:0542-01
Product: RHOSSM
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0542
Issue date: 2023-01-30
CVE Names: CVE-2016-3709 CVE-2021-4238 CVE-2021-23648
CVE-2021-46848 CVE-2022-1304 CVE-2022-1705
CVE-2022-1962 CVE-2022-2879 CVE-2022-2880
CVE-2022-3515 CVE-2022-3962 CVE-2022-21673
CVE-2022-21698 CVE-2022-21702 CVE-2022-21703
CVE-2022-21713 CVE-2022-22624 CVE-2022-22628
CVE-2022-22629 CVE-2022-22662 CVE-2022-26700
CVE-2022-26709 CVE-2022-26710 CVE-2022-26716
CVE-2022-26717 CVE-2022-26719 CVE-2022-27664
CVE-2022-28131 CVE-2022-30293 CVE-2022-30630
CVE-2022-30631 CVE-2022-30632 CVE-2022-30633
CVE-2022-30635 CVE-2022-32148 CVE-2022-32189
CVE-2022-35737 CVE-2022-37434 CVE-2022-39278
CVE-2022-41715 CVE-2022-42010 CVE-2022-42011
CVE-2022-42012 CVE-2022-42898 CVE-2022-43680
=====================================================================
1. Summary:
Red Hat OpenShift Service Mesh 2.3.1 Containers
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.
This advisory covers container images for the release.
Security Fix(es):
* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as
random as they should be (CVE-2021-4238)
* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879)
* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)
* Istio: Denial of service attack via a specially crafted message
(CVE-2022-39278)
* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)
* kiali: error message spoofing in kiali UI (CVE-2022-3962)
* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)
For more details about security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, see the CVE page(s)
listed in the Container CVEs section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2148199 - CVE-2022-39278 Istio: Denial of service attack via a specially crafted message
2148661 - CVE-2022-3962 kiali: error message spoofing in kiali UI
2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
5. JIRA issues fixed (https://issues.jboss.org/):
OSSM-1977 - Support for Istio Gateway API in Kiali
OSSM-2083 - Update maistra/istio 2.3 to Istio 1.14.5
OSSM-2147 - Unexpected validation message on Gateway object
OSSM-2169 - Member controller doesn't retry on conflict
OSSM-2170 - Member namespaces aren't cleaned up when a cluster-scoped SMMR is deleted
OSSM-2179 - Wasm plugins only support OCI images with 1 layer
OSSM-2184 - Istiod isn't allowed to delete analysis distribution report configmap
OSSM-2188 - Member namespaces not cleaned up when SMCP is deleted
OSSM-2189 - If multiple SMCPs exist in a namespace, the controller reconciles them all
OSSM-2190 - The memberroll controller reconciles SMMRs with invalid name
OSSM-2232 - The member controller reconciles ServiceMeshMember with invalid name
OSSM-2241 - Remove v2.0 from Create ServiceMeshControlPlane Form
OSSM-2251 - CVE-2022-3962 openshift-istio-kiali-container: kiali: content spoofing [ossm-2.3]
OSSM-2308 - add root CA certificates to kiali container
OSSM-2315 - be able to customize openshift auth timeouts
OSSM-2324 - Gateway injection does not work when pods are created by cluster admins
OSSM-2335 - Potential hang using Traces scatterplot chart
OSSM-2338 - Federation deployment does not need router mode sni-dnat
OSSM-2344 - Restarting istiod causes Kiali to flood CRI-O with port-forward requests
OSSM-2375 - Istiod should log member namespaces on every update
OSSM-2376 - ServiceMesh federation stops working after the restart of istiod pod
OSSM-535 - Support validationMessages in SMCP
OSSM-827 - ServiceMeshMembers point to wrong SMCP name
6. References:
https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2021-4238
https://access.redhat.com/security/cve/CVE-2021-23648
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-3962
https://access.redhat.com/security/cve/CVE-2022-21673
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-21702
https://access.redhat.com/security/cve/CVE-2022-21703
https://access.redhat.com/security/cve/CVE-2022-21713
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-39278
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-43680
https://access.redhat.com/security/updates/classification/#important
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.