-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Service Mesh 2.2.7 security update
Advisory ID:       RHSA-2023:3645-01
Product:           RHOSSM
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3645
Issue date:        2023-06-15
CVE Names:         CVE-2021-20329 CVE-2021-43138 CVE-2022-2880 
                   CVE-2022-4304 CVE-2022-4450 CVE-2022-24999 
                   CVE-2022-25858 CVE-2022-27664 CVE-2022-36227 
                   CVE-2022-39229 CVE-2022-41715 CVE-2023-0215 
                   CVE-2023-0286 CVE-2023-0361 CVE-2023-27535 
====================================================================
1. Summary:

Red Hat OpenShift Service Mesh 2.2.7

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an OpenShift Container
Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* mongo-go-driver: specific cstrings input may not be properly validated
(CVE-2021-20329)
* async: Prototype Pollution in async (CVE-2021-43138)
* express: "qs" prototype poisoning causes the hang of the node process
(CVE-2022-24999)
* terser: insecure use of regular expressions leads to ReDoS
(CVE-2022-25858)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated
2126276 - CVE-2021-43138 async: Prototype Pollution in async
2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS
2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-3596 - Port istio-cni fix for RHEL9 to maistra-2.2
OSSM-3720 - Port egress-gateway wrong network gateway endpoints fix in maistra-2.2
OSSM-3783 - operator can deadlock when istiod deployment fails [maistra-2.2]

6. References:

https://access.redhat.com/security/cve/CVE-2021-20329
https://access.redhat.com/security/cve/CVE-2021-43138
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-24999
https://access.redhat.com/security/cve/CVE-2022-25858
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-39229
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZIuxJdzjgjWX9erEAQglEg/6A7Ceu4fLKvXl+RRcBZs1TAFYReXxYOcd
KGEDPmEuS2YCS3pn4CN/CqPYcgp1YmtTrpUZxmzKoAZjInJ3kc4zG7XGim3eLBiC
LUWMl7DUM9voriHCmrktjr3sMfryng7FL5i9NT8Sh0YxyeJ0DEr/3Pziyae5JezY
BC1uColX7LtZUa0dLgP3Tl7lW/tEn2TwOUldmLAJwjzvECzsCelLT57DOUbeibV0
TrmGs6ZOhUDNzbLHRZuvtLXIJlL0LquR/B/KzOT7ZuawEAxMmh70t2AdS3mD4YXq
GxG9b4mfq7zIYa6nvUnTcaKxM/gE0TE0Vrrk9FdUfXcpyQfZnVakLf3i5ll0XmqA
7YSSdBJIj8kccbz7DV9siJVyCMmlN/7KB0QYont4MiIvY4/ovS9pytDtuJ2xvOZ4
pTe6tF2i8S+XvI5D173I7+QoN8fUGiP3gdArRKFu7GlFXZfrgq4Yfl4wQR26tbpE
CCrT1ct9Bj1IdvFSOexBzaNArh60Vpi0uUYfYg2smVPJslCNhKY9c1D0T/pLZL3b
mO5ytnq/zaNPFSYS4LpuBn9qX1TXJmlNQlpm/Pnzs//YVaZbxXwvzzGC4vVr7F+r
+VVlfI43X4bLKseuxToheH9UrMIJRW+aE6bFHE1ss22m9y5n/kHRK8oDb5FRur3b
LOOJa1Oil6M=4VhL
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3645:01 Moderate: Red Hat OpenShift Service Mesh 2.2.7

Red Hat OpenShift Service Mesh 2.2.7 Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
* mongo-go-driver: specific cstrings input may not be properly validated (CVE-2021-20329) * async: Prototype Pollution in async (CVE-2021-43138) * express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999) * terser: insecure use of regular expressions leads to ReDoS (CVE-2022-25858)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Summary

Solution

For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-20329 https://access.redhat.com/security/cve/CVE-2021-43138 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-24999 https://access.redhat.com/security/cve/CVE-2022-25858 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-39229 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity

Advisory ID: RHSA-2023:3645-01

Product: RHOSSM

Advisory URL: https://access.redhat.com/errata/RHSA-2023:3645

Issued Date: : 2023-06-15

CVE Names: CVE-2021-20329 CVE-2021-43138 CVE-2022-2880 CVE-2022-4304 CVE-2022-4450 CVE-2022-24999 CVE-2022-25858 CVE-2022-27664 CVE-2022-36227 CVE-2022-39229 CVE-2022-41715 CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 CVE-2023-27535

Topic

Red Hat OpenShift Service Mesh 2.2.7Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topic

Relevant Releases Architectures

Bugs Fixed

1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated

2126276 - CVE-2021-43138 async: Prototype Pollution in async

2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS

2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-3596 - Port istio-cni fix for RHEL9 to maistra-2.2

OSSM-3720 - Port egress-gateway wrong network gateway endpoints fix in maistra-2.2

OSSM-3783 - operator can deadlock when istiod deployment fails [maistra-2.2]

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12

3 - 5 min read

Dec 06, 2024

The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This

A Linux Admin

A Linux Admin's Guide to Tackling Emerging Cloud-Native Security Risks

3 - 6 min read

Dec 05, 2024

As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,

Leveraging Insights from the Linux Foundation

Leveraging Insights from the Linux Foundation's Census III Report for More Secure Linux Administration

3 - 5 min read

Dec 05, 2024

The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone

Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns

Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns

3 - 6 min read

Dec 04, 2024

Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security

From Wayland Fixes to Security Boosts: Examining Qt 6.8.1

From Wayland Fixes to Security Boosts: Examining Qt 6.8.1's Impact on Linux Administration

3 - 6 min read

Dec 03, 2024

The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application

Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins

Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins

3 - 6 min read

Dec 03, 2024

The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline

Deck the Halls with Enhanced Security: Linux Kernel 6.13

Deck the Halls with Enhanced Security: Linux Kernel 6.13's Top Features & Improvements

3 - 5 min read

Dec 02, 2024

As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made

Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions

Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions

3 - 5 min read

Dec 02, 2024

New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

News

Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Advisories

Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
HOWTOs

Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Features

Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
About Us

Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Powered By

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

© 2024 Guardian Digital, Inc All Rights Reserved