Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2283 Red Hat OpenShift Service Mesh multiple security updates 2 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenShift Service Mesh servicemesh-grafana Publisher: Red Hat Operating System: Red Hat Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-14306 CVE-2020-13430 CVE-2020-13379 CVE-2020-12605 CVE-2020-12604 CVE-2020-12603 CVE-2020-12245 CVE-2020-12052 CVE-2020-8663 CVE-2020-7662 CVE-2020-7660 CVE-2019-16769 CVE-2019-11253 Reference: ESB-2020.2171.2 ESB-2020.0922 ESB-2019.4368 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2798 https://access.redhat.com/errata/RHSA-2020:2795 https://access.redhat.com/errata/RHSA-2020:2799 Comment: This bulletin contains four (4) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Service Mesh servicemesh-grafana security update Advisory ID: RHSA-2020:2796-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2020:2796 Issue date: 2020-07-01 CVE Names: CVE-2019-11253 CVE-2019-16769 CVE-2020-7660 CVE-2020-7662 CVE-2020-12052 CVE-2020-12245 CVE-2020-13379 CVE-2020-13430 ===================================================================== 1. Summary: An update for servicemesh-grafana is now available for OpenShift Service Mesh 1.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Service Mesh 1.1 - x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Security Fix(es): * kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service (CVE-2019-11253) * grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL (CVE-2020-13379) * npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769) * npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js (CVE-2020-7660) * npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662) * grafana: XSS annotation popup vulnerability (CVE-2020-12052) * grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245) * grafana: XSS via the OpenTSDB datasource (CVE-2020-13430) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: The OpenShift Service Mesh release notes provide information on the features and known issues: https://docs.openshift.com/container-platform/latest/service_mesh/serviceme sh-release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service 1843640 - CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL 1844228 - CVE-2020-7660 npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js 1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser 1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability 1848092 - CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions 1848108 - CVE-2020-13430 grafana: XSS via the OpenTSDB datasource 1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip 6. Package List: OpenShift Service Mesh 1.1: Source: servicemesh-grafana-6.4.3-11.el8.src.rpm x86_64: servicemesh-grafana-6.4.3-11.el8.x86_64.rpm servicemesh-grafana-prometheus-6.4.3-11.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11253 https://access.redhat.com/security/cve/CVE-2019-16769 https://access.redhat.com/security/cve/CVE-2020-7660 https://access.redhat.com/security/cve/CVE-2020-7662 https://access.redhat.com/security/cve/CVE-2020-12052 https://access.redhat.com/security/cve/CVE-2020-12245 https://access.redhat.com/security/cve/CVE-2020-13379 https://access.redhat.com/security/cve/CVE-2020-13430 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXvzaUdzjgjWX9erEAQhi3A/+MVLfbEyP2WyjpwoXIKm55dQVMYIdMGiV Sp5NTTBjURnzM8or86n/QsW3XNLD+LHZiz9GJvsgJU6rXol2X0HR3W13QzexMqO8 sRwNZeHH7qUMSZW9ND19QWX4/ffrOeh0SWAhxkXWwxbZFDRQwhQy19zbeR8vSij+ 2/4DEnLqUHmyRamn/l7sz4QfAQB2NmqdpOsIG4D3ryoZ6Qiv9Am3H/p/TMjBNgWl 865TKEeNgu9+YT0apQnL/49wAMvY27CpuPksCnNowfF7UgDwcSHN3UFa9CleOtDr rKio2rBbz3FI/KUcAeHvLwWV0sPyQWSI/KpMQwZ1Nj5euVwjMRCx6is83SdfTgnO eklHKvgtktQIA1EUuFx6GNOVNS+oN/xBdim0fgvTNkMjtYAwoQ/d25tqv+Y+7ior jZ/mEDpvpzDPlSH2PdQhNjIVUmgvhNf7xSixFUT1SiOI3cPqCyunOqrENZW3D9Ov lroKD0obyo53+5bOpg6L/vXBkyYv0IIPZZ7wY0cRUj1TLpDp7vVQnK6ozfU4VHBO Q1UTCg7HR5hcShg7Eb4EEDLiJ4dpzlALP1XSZ6rIvyfBDCR0qVXeRp8dZ73fxCRn ST7eewJGelgAYwECS1iofZGEtQneLLF23PH3GWJApLrdmMPdVxmylg3wsFjfQ3VY SpJTijfX++c= =oiZC - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Service Mesh 1.1 servicemesh-proxy security update Advisory ID: RHSA-2020:2798-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2020:2798 Issue date: 2020-07-01 CVE Names: CVE-2020-8663 CVE-2020-12603 CVE-2020-12604 CVE-2020-12605 ===================================================================== 1. Summary: An update for servicemesh-proxy is now available for OpenShift Service Mesh 1.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Service Mesh 1.1 - x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Security Fix(es): * envoy: Resource exhaustion when accepting too many connections (CVE-2020-8663) * envoy: Resource exhaustion when proxying HTTP/2 requests or responses with small data frames (CVE-2020-12603) * envoy: Resource exhaustion when processing HTTP/1.1 headers with long field names (CVE-2020-12605) * envoy: Resource exhaustion via HTTP/2 client requests with large payloads and improper stream windows (CVE-2020-12604) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: The OpenShift Service Mesh release notes provide information on the features and known issues: https://docs.openshift.com/container-platform/latest/service_mesh/serviceme sh-release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1844251 - CVE-2020-12603 envoy: Resource exhaustion when proxying HTTP/2 requests or responses with small data frames 1844252 - CVE-2020-12605 envoy: Resource exhaustion when processing HTTP/1.1 headers with long field names 1844254 - CVE-2020-8663 envoy: Resource exhaustion when accepting too many connections 1844255 - CVE-2020-12604 envoy: Resource exhaustion via HTTP/2 client requests with large payloads and improper stream windows 6. Package List: OpenShift Service Mesh 1.1: Source: servicemesh-proxy-1.1.4-2.el8.src.rpm x86_64: servicemesh-proxy-1.1.4-2.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8663 https://access.redhat.com/security/cve/CVE-2020-12603 https://access.redhat.com/security/cve/CVE-2020-12604 https://access.redhat.com/security/cve/CVE-2020-12605 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXvzaNtzjgjWX9erEAQj4IhAAhgMCzAk2639kt37LqaNfZ//M4inVC8/Z uYK1yF4//rWkd2oK0i5MIYK2z1MWiODQQ55B3/NNMiBnJOu5IqhsXUkbpKzTx1a4 Mth5vnJM4GFYhO0Eb1EZ/wS932x5bcI7jcA+VEU3nNIsUYcKscF30e/AHJE0DkpR UV3N8mI8X/UE+GyoRidIst4UhQMarO4frRCJQq9WufZ+kyFq2FFEvRIPdjuJYyx5 cfzuJtJpZxDJySI3GCT3bAIk6qenQU8N8UEyRIwEkk9J/1J8zXvTxBERzNUPuoo8 LuIjnTCdlJDaFimYF8pvsaPGSZnvbWNkSwa/l4McKXoqAGKYSZknKCRmqYOWrZ9Q Zs7j1H0sptAiYlFwWah1AdxPyUOIGzSVHhskpAdMKtb7v6F96fkA7M30ZtQPoUiZ t+K0g0ywPU5f0KKZOUcUiX0M4sICFjcQ2rqGLb4TIzMpY82v5LCBXZTjMVKmDrD7 hLaEKjMt5/7VzJj9VT87yr0JYkyNio92RClhPFJ7fJy89/WqCGU5YSEYMgwwWAL0 UILo6ELF5MLfyqJgVrHWHT6zaYYVtnrYtYcSKI83ICkyrp4sgh+Gi3Bca/TG4DE9 0XdRkS7X9HEWmgQIDcxgBmPG8Dxgs/VQxaOTMp/yK5L2A5kNFHmhES6Rgsymh/5p TGRKSwSbM9o= =srVm - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Service Mesh 1.1 servicemesh-operator security update Advisory ID: RHSA-2020:2795-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2020:2795 Issue date: 2020-07-01 CVE Names: CVE-2019-11253 CVE-2020-14306 ===================================================================== 1. Summary: An update for servicemesh-operator is now available for OpenShift Service Mesh 1.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Service Mesh 1.1 - x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Security Fix(es): * kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service (CVE-2019-11253) * openshift-service-mesh/istio-rhel8-operator: control plane can deploy gateway image to any namespace (CVE-2020-14306) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: The OpenShift Service Mesh release notes provide information on the features and known issues: https://docs.openshift.com/container-platform/latest/service_mesh/serviceme sh-release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service 1850380 - CVE-2020-14306 openshift-service-mesh/istio-rhel8-operator: control plane can deploy gateway image to any namespace 6. Package List: OpenShift Service Mesh 1.1: Source: servicemesh-operator-1.1.4-3.el8.src.rpm x86_64: servicemesh-operator-1.1.4-3.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11253 https://access.redhat.com/security/cve/CVE-2020-14306 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXvzahNzjgjWX9erEAQg6tA/7BGN9yUAhd3bJQ4Qa59K/jX98qJyo3PVN uWpKNC3iPwMJJT3UGIhcUgfDVsyEt3hcBqlYFyW7ZKO5UK7y3yKv12fjIX93NHbd LfiH7pha+OyqylRuZJDW5ibJyYhcD0FLGaoGA7JDhXbFoIEXuFcsf+C7JmS6P5OV yqKYEah6hX1ggTw1KSeaGc+2TN22n0YLuTueaRJ76vjiwFLPmdzfB1VwbDRGkcCG 4pJKHQtRl+HH1EJ0ZnElD9zBX1sEwRWtU8bAc3wagS3l/VoB2BRB5jas7xzu3LWY XAT2RPlea/jkBVXkK7m76KBD2Dhzb3gshZb0G6asLbskhFww/pYN+p674rbENPlE PBJRK7B7ofQSZUqsJvpctcOILA8oW4YyWsmWKUUiJT5wJBY5s0T/zmGav/4F7uSy fJGFhtMpRpIc8Vb7Gj3M/BtoZ1/mb1SdaCVJJ5N27PFaZt6VK3ICP7wXI+NQ4Ab8 ei5v1BDFPr66gME5BLROzzfNRzK3EMjQtfQm2JE9wBJDP7uiPxvuwkG2JpNf1cKX WAvpWMe2jVLkvwiQphlZJj96w32xgQ/qiPz3D+pbiihTj/SMZxaNpB6oY4obU1zT ToykkEUsrL/KOdv9Cwx3n09R/1QkVVL1ITklyAUuspRpVa/uaSfwmQx2LKu+uPEY 8zfguJ+XOXQ= =javv - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Service Mesh servicemesh-cni security update Advisory ID: RHSA-2020:2799-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2020:2799 Issue date: 2020-07-01 CVE Names: CVE-2019-11253 ===================================================================== 1. Summary: An update for servicemesh-cni is now available for OpenShift Service Mesh 1.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Service Mesh 1.1 - x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Security Fix(es): * kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service (CVE-2019-11253) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: The OpenShift Service Mesh release notes provide information on the features and known issues: https://docs.openshift.com/container-platform/latest/service_mesh/serviceme sh-release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service 6. Package List: OpenShift Service Mesh 1.1: Source: servicemesh-cni-1.1.4-2.el8.src.rpm x86_64: servicemesh-cni-1.1.4-2.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11253 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXvzaatzjgjWX9erEAQirWw/+OruhU2zC0726Jw+DmkprA2QTgD1rWpw/ Wx2yQfbYQQb+s+YHEJ4IM8XcHAnH7WzA3oGHO4uBx8lUT8omH8nyguzn44mNwOaU kJysFD6SSofx0eptkrP01PoRltEJEvZyqFau1cv1BsLGw6G/mayYyO/JM8LoQ1rU xKiHW9hkEWufu+f2ex0QcLqvAIzA/S+fsxQvZUoiYF8Vgu61+BHpO4VaH6/jVTOM f/4OPI6iv/dZBt3LsbZQTkFhBXQC390Nz2k8YitEPkZ2myiMaAHRmlavba0k5i1Q qoLpigPRp6mL6SHAF29OzjyUHyRzOhDw6u3ISX2MQ7c8GJwyViLdxSQfRQhWeSsJ PDsZ5Q1YEmbyBzLrzIOZSm1qoyI35M111Rx4iRNBG2zFnmMGtMoTbCzvzxKjWKLA AmBdInd+nuUrd19Gk9BroKHR1NEKpi+LvGvuJdY7tmUU+wIWgRAn1X7+1kroDMn7 kpZzkj6JCerZddL1EKi9M3UDlTMpiB+Zl3I9Fk2DakaJX936IjXOY1JIgga2aCWy t+v06fzVFfc7OOsag5CMTMPL9UCgVwiDcD6ArQO0BqidcD7lKrzF8JUc+ecN+iIL M5jz14A/tDIYZz67aZF80QwicpkejC2Yqxj0YR2WLtHLtvA2Wx8xFxbn5m5WP4FQ 1oJOnV+7ikE= =kr8e - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXv1iluNLKJtyKPYoAQiUXBAAp7s5HNrY3TFDin36v7a2EWFCG8HQ3NHK XxxK4CToi6mERQbSYdXJ9AqAz+sOVAfu5vYkEQlSpj7Bqq9asFUDZNCtG6A0XzEq Jh1o5uN80eEp9z/yzqCN5Z1YFdQrI0Dntan+D3tllZ6/VdaLSuJYNNEuKtpVwynD GRh/jSI7JGue/bj8Y3pTS3opqMVL1fggHLm40bFavZhdal6B39ybz5r4+XdNRNRp shbWaTcfAqHgnk6k5UzkDynpdkKoND6RL3/mgw1R6uiyeVjo89kXKt+nfd9DpZVP 62ytM4meBzoYsx6YLwXZzl9F/Lm3CTTaMEDZyovhIafbsVsaw0OoG87vOppyaZWn wpj/j/EDAn7wbrMDRtQxHRZNN3rKg8IhrrOwS0LB77mghWjsU8gf/otWUnpOSNV5 ktXMGw3X5x/SDTQtmhiMKHlGu+fsxB17AvQ77qGXRAgP3h8aW8Zjaft8E6HFr9zZ ZnUvnSVMysyGHFHohLkDweo7Z4TnpKyJ92JL5VarIPcl/fSxzif2ZgY63B8Jt5+2 RcvSEOx5r3gTsQkabhHoWvbShZRopju2DkpjMrOqgZZvMk2tUsV1wwn06wWZZlJb F38YkcKKZ7UsUpeCUmQIWJnqpUVGMUMSfGg8oek1CxqdKQl1zLtbdeKGHuxUxxac H3eX//1R5IU= =UuBQ -----END PGP SIGNATURE-----