Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Important: Red Hat OpenShift Service Mesh servicemesh-grafana security update

Related Vulnerabilities: CVE-2019-11253   CVE-2020-13379   CVE-2019-16769   CVE-2020-7660   CVE-2020-7662   CVE-2020-12052   CVE-2020-12245   CVE-2020-13430   CVE-2019-11253   CVE-2020-13379   CVE-2020-7660   CVE-2020-7662   CVE-2020-12052   CVE-2019-16769   CVE-2020-13430   CVE-2020-12245   CVE-2019-11253   CVE-2019-16769   CVE-2020-7660   CVE-2020-7662   CVE-2020-12052   CVE-2020-12245   CVE-2020-13379   CVE-2020-13430  

Source

Übersicht

Important: Red Hat OpenShift Service Mesh servicemesh-grafana security update

Typ/Schweregrad

Security Advisory: Important

Thema

An update for servicemesh-grafana is now available for OpenShift Service Mesh 1.1.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Beschreibung

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

Security Fix(es):

  • kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service (CVE-2019-11253)
  • grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL (CVE-2020-13379)
  • npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769)
  • npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js (CVE-2020-7660)
  • npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)
  • grafana: XSS annotation popup vulnerability (CVE-2020-12052)
  • grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)
  • grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Lösung

The OpenShift Service Mesh release notes provide information on the features and
known issues:

https://docs.openshift.com/container-platform/latest/service_mesh/servicemesh-release-notes.html

Betroffene Produkte

  • Red Hat OpenShift Service Mesh 1.1 for RHEL 8 x86_64

Fixes

  • BZ - 1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service
  • BZ - 1843640 - CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL
  • BZ - 1844228 - CVE-2020-7660 npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js
  • BZ - 1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
  • BZ - 1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability
  • BZ - 1848092 - CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions
  • BZ - 1848108 - CVE-2020-13430 grafana: XSS via the OpenTSDB datasource
  • BZ - 1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip

CVEs

Verweise

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started