Important: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Topic

Red Hat OpenShift Service Mesh 2.3.1 Containers

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

This advisory covers container images for the release.

Security Fix(es):

• goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)
• golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
• golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
• golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
• Istio: Denial of service attack via a specially crafted message (CVE-2022-39278)
• golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
• kiali: error message spoofing in kiali UI (CVE-2022-3962)
• golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, see the CVE page(s) listed in the Container CVEs section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Service Mesh 2 for RHEL 8 x86_64
• Red Hat OpenShift Service Mesh for Power 2 for RHEL 8 ppc64le
• Red Hat OpenShift Service Mesh for IBM Z 2 for RHEL 8 s390x

Fixes

• BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
• BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
• BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• BZ - 2148199 - CVE-2022-39278 Istio: Denial of service attack via a specially crafted message
• BZ - 2148661 - CVE-2022-3962 kiali: error message spoofing in kiali UI
• BZ - 2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
• OSSM-2308 - add root CA certificates to kiali container
• OSSM-2315 - be able to customize openshift auth timeouts
• OSSM-2335 - Potential hang using Traces scatterplot chart
• OSSM-2251 - CVE-2022-3962 openshift-istio-kiali-container: kiali: content spoofing [ossm-2.3]
• OSSM-2344 - Restarting istiod causes Kiali to flood CRI-O with port-forward requests
• OSSM-1977 - Support for Istio Gateway API in Kiali
• OSSM-2083 - Update maistra/istio 2.3 to Istio 1.14.5
• OSSM-2147 - Unexpected validation message on Gateway object
• OSSM-2169 - Member controller doesn't retry on conflict
• OSSM-2170 - Member namespaces aren't cleaned up when a cluster-scoped SMMR is deleted
• OSSM-2179 - Wasm plugins only support OCI images with 1 layer
• OSSM-2184 - Istiod isn't allowed to delete analysis distribution report configmap
• OSSM-2188 - Member namespaces not cleaned up when SMCP is deleted
• OSSM-2189 - If multiple SMCPs exist in a namespace, the controller reconciles them all
• OSSM-2190 - The memberroll controller reconciles SMMRs with invalid name
• OSSM-2232 - The member controller reconciles ServiceMeshMember with invalid name
• OSSM-2241 - Remove v2.0 from Create ServiceMeshControlPlane Form
• OSSM-2324 - Gateway injection does not work when pods are created by cluster admins
• OSSM-2338 - Federation deployment does not need router mode sni-dnat
• OSSM-2375 - Istiod should log member namespaces on every update
• OSSM-2376 - ServiceMesh federation stops working after the restart of istiod pod
• OSSM-535 - Support validationMessages in SMCP
• OSSM-827 - ServiceMeshMembers point to wrong SMCP name

CVEs

• CVE-2016-3709
• CVE-2021-4238
• CVE-2021-23648
• CVE-2021-46848
• CVE-2022-1304
• CVE-2022-1705
• CVE-2022-1962
• CVE-2022-2879
• CVE-2022-2880
• CVE-2022-3515
• CVE-2022-3962
• CVE-2022-21673
• CVE-2022-21698
• CVE-2022-21702
• CVE-2022-21703
• CVE-2022-21713
• CVE-2022-22624
• CVE-2022-22628
• CVE-2022-22629
• CVE-2022-22662
• CVE-2022-26700
• CVE-2022-26709
• CVE-2022-26710
• CVE-2022-26716
• CVE-2022-26717
• CVE-2022-26719
• CVE-2022-27664
• CVE-2022-28131
• CVE-2022-30293
• CVE-2022-30630
• CVE-2022-30631
• CVE-2022-30632
• CVE-2022-30633
• CVE-2022-30635
• CVE-2022-32148
• CVE-2022-32189
• CVE-2022-35737
• CVE-2022-37434
• CVE-2022-39278
• CVE-2022-41715
• CVE-2022-42010
• CVE-2022-42011
• CVE-2022-42012
• CVE-2022-42898
• CVE-2022-43680

References

• https://access.redhat.com/security/updates/classification/#important