Issued:: 2023-01-30
Updated:: 2023-01-30

RHSA-2023:0542 - Important: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Synopsis

Important: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Type/Severity

Security Advisory Important

Topic

Red Hat OpenShift Service Mesh 2.3.1 Containers

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

This advisory covers container images for the release.

Security Fix(es):

goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)
golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
Istio: Denial of service attack via a specially crafted message (CVE-2022-39278)
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
kiali: error message spoofing in kiali UI (CVE-2022-3962)
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, see the CVE page(s) listed in the Container CVEs section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Product	Version	Arch
Red Hat OpenShift Service Mesh	2	x86_64
Red Hat OpenShift Service Mesh for Power	2	ppc64le
Red Hat OpenShift Service Mesh for IBM Z	2	s390x

Fixes

CVEs

CVE-2016-3709
CVE-2021-4238
CVE-2021-23648
CVE-2021-46848
CVE-2022-1304
CVE-2022-1705
CVE-2022-1962
CVE-2022-2879
CVE-2022-2880
CVE-2022-3515
CVE-2022-3962
CVE-2022-21673
CVE-2022-21698
CVE-2022-21702
CVE-2022-21703
CVE-2022-21713
CVE-2022-22624
CVE-2022-22628
CVE-2022-22629
CVE-2022-22662
CVE-2022-26700
CVE-2022-26709
CVE-2022-26710
CVE-2022-26716
CVE-2022-26717
CVE-2022-26719
CVE-2022-27664
CVE-2022-28131
CVE-2022-30293
CVE-2022-30630
CVE-2022-30631
CVE-2022-30632
CVE-2022-30633
CVE-2022-30635
CVE-2022-32148
CVE-2022-32189
CVE-2022-35737
CVE-2022-37434
CVE-2022-39278
CVE-2022-41715
CVE-2022-42010
CVE-2022-42011
CVE-2022-42012
CVE-2022-42898
CVE-2022-43680

References

https://access.redhat.com/security/updates/classification/#important

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.