-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.2.9  security update
Advisory ID:       RHSA-2023:4623-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4623
Issue date:        2023-08-11
CVE Names:         CVE-2023-27487 CVE-2023-27488 CVE-2023-27491 
                   CVE-2023-27492 CVE-2023-27493 CVE-2023-27496 
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.2.9

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an OpenShift Container
Platform installation.

Security Fix(es):

* envoy: Client may fake the header `x-envoy-original-path`
(CVE-2023-27487)

* envoy: envoy doesn't escape HTTP header values (CVE-2023-27493)

* envoy: gRPC client produces invalid protobuf when an HTTP header with
non-UTF8 value is received (CVE-2023-27488)

* envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream
(CVE-2023-27491)

* envoy:  Crash when a large request body is processed in Lua filter
(CVE-2023-27492)

* envoy: Crash when a redirect url without a state param is received in the
oauth filter (CVE-2023-27496)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`
2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream
2179139 - CVE-2023-27492 envoy:  Crash when a large request body is processed in Lua filter
2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter
2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received
2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values

5. References:

https://access.redhat.com/security/cve/CVE-2023-27487
https://access.redhat.com/security/cve/CVE-2023-27488
https://access.redhat.com/security/cve/CVE-2023-27491
https://access.redhat.com/security/cve/CVE-2023-27492
https://access.redhat.com/security/cve/CVE-2023-27493
https://access.redhat.com/security/cve/CVE-2023-27496
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk1pfaAAoJENzjgjWX9erE16UP/Az3YBHc2BsjRSY0/48IyI49
PZ8yFpBCQMocY7dnts48iFeeVZtQlFruLzOOvGWvaKyPCSiyC0XtTg/6sw71XCaf
bpOsMXNV75ggf0tTO6JEgGqD326pdOnYqXMUfBnxvgtqQ/Ej1kyGCig+c7bEcvB0
l0m4NsAo224h8U33fnOPbgP/m/0elWCTcZbOUBLd+qRqwE9edZX4Chd+3l3pq5kg
zJHLKHui/q+dAIqgsoK6CznTglUXuFQlYpu+vlAomrMGED7kx3t7QgttmhlL7krl
rKIBgJml3nottyavLGmdCBiuklBlcNNV6LHZNkIEaIaH7Hlgbcb0AWHcOr97KXxQ
K1ZpIdNOX0IDgltC3cGWbmiNmM45KSWKjCTUKXPiD0jlIxbuDIrqT25tOlNw4nRa
R4hoiJUvUBl33zcg0q1JZmr9iYA7kKmrQUTgjMaFersmaeVaALBsmwdmTasaAsC0
jdNzrbRB2JCnozPUphYff6Zc0iIKKPmMKtAWDzdyor0eQ+7sPfXNyND2WC5OQtVS
oLK/juc7CxQkMhOI09goLFMSUEO7czvKzdr5rzG8s1D7JHNtPLlCy2D0X4jAXIKD
Ca53KIpxVrEUpmrApFvZscITKSyEGt0pouxEh2mFU6Op1ZcnONOeDXz7+KVfQTZZ
3+soC5oF43vm3/r9KJAz
=xctn
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-4623:01 Important: Red Hat OpenShift Service Mesh 2.2.9

Red Hat OpenShift Service Mesh 2.2.9 Red Hat Product Security has rated this update as having a security impact of Important

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.
Security Fix(es):
* envoy: Client may fake the header `x-envoy-original-path` (CVE-2023-27487)
* envoy: envoy doesn't escape HTTP header values (CVE-2023-27493)
* envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received (CVE-2023-27488)
* envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream (CVE-2023-27491)
* envoy: Crash when a large request body is processed in Lua filter (CVE-2023-27492)
* envoy: Crash when a redirect url without a state param is received in the oauth filter (CVE-2023-27496)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2023-27487 https://access.redhat.com/security/cve/CVE-2023-27488 https://access.redhat.com/security/cve/CVE-2023-27491 https://access.redhat.com/security/cve/CVE-2023-27492 https://access.redhat.com/security/cve/CVE-2023-27493 https://access.redhat.com/security/cve/CVE-2023-27496 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2023:4623-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4623
Issued Date: : 2023-08-11
CVE Names: CVE-2023-27487 CVE-2023-27488 CVE-2023-27491 CVE-2023-27492 CVE-2023-27493 CVE-2023-27496

Topic

Red Hat OpenShift Service Mesh 2.2.9Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`

2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream

2179139 - CVE-2023-27492 envoy: Crash when a large request body is processed in Lua filter

2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter

2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received

2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved