Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Important: Red Hat OpenShift Service Mesh 2.2.9 security update

Related Vulnerabilities: CVE-2023-27487   CVE-2023-27488   CVE-2023-27491   CVE-2023-27492   CVE-2023-27493   CVE-2023-27496  

Source

Synopsis

Important: Red Hat OpenShift Service Mesh 2.2.9 security update

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Service Mesh 2.2.9

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.

Security Fix(es):

  • envoy: Client may fake the header `x-envoy-original-path` (CVE-2023-27487)
  • envoy: envoy doesn't escape HTTP header values (CVE-2023-27493)
  • envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received (CVE-2023-27488)
  • envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream (CVE-2023-27491)
  • envoy: Crash when a large request body is processed in Lua filter (CVE-2023-27492)
  • envoy: Crash when a redirect url without a state param is received in the oauth filter (CVE-2023-27496)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Service Mesh 2 for RHEL 8 x86_64
  • Red Hat OpenShift Service Mesh for Power 2 for RHEL 8 ppc64le
  • Red Hat OpenShift Service Mesh for IBM Z 2 for RHEL 8 s390x

Fixes

  • BZ - 2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`
  • BZ - 2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream
  • BZ - 2179139 - CVE-2023-27492 envoy: Crash when a large request body is processed in Lua filter
  • BZ - 2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter
  • BZ - 2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received
  • BZ - 2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started