You are here
Home > Preporuke > Sigurnosni nedostaci programskih paketa RPM

Sigurnosni nedostaci programskih paketa RPM

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: Red Hat OpenShift Service Mesh 1.0.3 RPMs security update
Advisory ID: RHSA-2019:4222-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2019:4222
Issue date: 2019-12-11
CVE Names: CVE-2019-18801 CVE-2019-18802 CVE-2019-18838
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 1.0.3.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Service Mesh 1.0 – x86_64
Red Hat OpenShift Service Mesh 1.0 – x86_64

3. Description:

Red Hat OpenShift Service Mesh is Red Hat’s distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

This advisory covers the RPM packages for the OpenShift Service Mesh 1.0.3
release.

Security Fix(es):

* An untrusted remote client may send HTTP/2 requests that write to the
heap outside of the request buffers when the upstream is HTTP/1
(CVE-2019-18801)

* Malformed request header may cause bypass of route matchers resulting in
escalation of privileges or information disclosure (CVE-2019-18802)

* Malformed HTTP request without the Host header may cause abnormal
termination of the Envoy process (CVE-2019-18838)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

The OpenShift Service Mesh release notes provide information on the
features and known issues:

https://docs.openshift.com/container-platform/4.2/service_mesh/servicemesh-
release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

1773444 – CVE-2019-18801 envoy: an untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1
1773447 – CVE-2019-18802 envoy: malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure
1773449 – CVE-2019-18838 envoy: malformed HTTP request without the Host header may cause abnormal termination of the Envoy process

6. Package List:

Red Hat OpenShift Service Mesh 1.0:

Source:
kiali-v1.0.8.redhat1-1.el7.src.rpm

x86_64:
kiali-v1.0.8.redhat1-1.el7.x86_64.rpm

OpenShift Service Mesh 1.0:

Source:
servicemesh-1.0.3-1.el8.src.rpm
servicemesh-cni-1.0.3-1.el8.src.rpm
servicemesh-grafana-6.2.2-25.el8.src.rpm
servicemesh-operator-1.0.3-1.el8.src.rpm
servicemesh-prometheus-2.7.2-26.el8.src.rpm
servicemesh-proxy-1.0.3-1.el8.src.rpm

x86_64:
servicemesh-1.0.3-1.el8.x86_64.rpm
servicemesh-citadel-1.0.3-1.el8.x86_64.rpm
servicemesh-cni-1.0.3-1.el8.x86_64.rpm
servicemesh-galley-1.0.3-1.el8.x86_64.rpm
servicemesh-grafana-6.2.2-25.el8.x86_64.rpm
servicemesh-grafana-prometheus-6.2.2-25.el8.x86_64.rpm
servicemesh-istioctl-1.0.3-1.el8.x86_64.rpm
servicemesh-mixc-1.0.3-1.el8.x86_64.rpm
servicemesh-mixs-1.0.3-1.el8.x86_64.rpm
servicemesh-operator-1.0.3-1.el8.x86_64.rpm
servicemesh-pilot-agent-1.0.3-1.el8.x86_64.rpm
servicemesh-pilot-discovery-1.0.3-1.el8.x86_64.rpm
servicemesh-prometheus-2.7.2-26.el8.x86_64.rpm
servicemesh-proxy-1.0.3-1.el8.x86_64.rpm
servicemesh-sidecar-injector-1.0.3-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-18801
https://access.redhat.com/security/cve/CVE-2019-18802
https://access.redhat.com/security/cve/CVE-2019-18838
https://access.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXfFfotzjgjWX9erEAQivZA/+Jhhsr9G9X/W+5IXLe1iUzXvE61kJDYAg
XoruYZ3hIGVf3h5hRqHOSzmb5oaAGRwyyjvikbUPXP7FqbTKfLD3Ly7eZExhpT2X
GEMLVbeZKIppchI7rpKgswIcy9ukph5HBuxC2Z3TGMJm1wPKzUmhlDhvivlfNuy/
AnsxGrDLdRRwBtXsIsWhg1pcXqMJ/k/wpjwV2RRfm45cE9+ua1ZBLfT+DlUhXmVR
hsFJboy1Ltge8Ag4J+Sl/EhNSC+6IAF0djpXpPj3QZxg2CRg0sscci9MfqZMCBIF
b/bvRr6ZaIvrCvyr8dfyHAViv1kaz3y9Y7oyBeI33tXWHwMm18WN1fGSldMD6Gu6
vvD2YscwroqvhHjNYdsUEp3HGIAD0Gzo8S5MJS4gcLVpjl7wJ3V2jeH3sFgFmSez
DhRrc3/ytWtMHcVTR3PB4lHoeV9BYPxv68d57/Z74ihZanG/UAHclCYx1xHLNYQ7
O96yQz9sC/zCJnHiuP1SsOc0TUvDtAdNg7hAMS8iN8QOTfA925adyyV0aRMczIAD
zyTZXmBnbQ0zusrCcfUReGOzedmWM7VG2R24Wy3TSxXUJJZBRjC4mLaZtDIiRAYl
s8LOWEpJMFZaTzHQBYAYxxH7iaBQG3FDogC6f4GzM6VQE7xM7/Hw65TtpnL2rOUe
xmyOjC5UusE=
=fYm1
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top
More in Preporuke
Sigurnosni nedostatak programske biblioteke librabbitmq

Otkriven je sigurnosni nedostatak programske biblioteke librabbitmq za operacijski sustav Ubuntu. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje proizvoljnog programskog koda....

Close