Red Hat OpenShift Service Mesh: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2906
              Red Hat OpenShift Service Mesh security update
                              27 August 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Service Mesh
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-39156 CVE-2021-39155 CVE-2021-32781
                   CVE-2021-32779 CVE-2021-32777 

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:3272
   https://access.redhat.com/errata/RHSA-2021:3273

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.0.7.1 security update
Advisory ID:       RHSA-2021:3272-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3272
Issue date:        2021-08-25
CVE Names:         CVE-2021-32777 CVE-2021-32779 CVE-2021-32781 
                   CVE-2021-39155 CVE-2021-39156 
=====================================================================

1. Summary:

An update for servicemesh and servicemesh-proxy is now available for
OpenShift Service Mesh 2.0.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

2.0 - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

Security Fix(es):

* envoyproxy/envoy: HTTP request with multiple value headers can bypass
authorization policies (CVE-2021-32777)

* envoyproxy/envoy: HTTP request with a URL fragment in the URI can bypass
authorization policies (CVE-2021-32779)

* envoyproxy/envoy: denial of service when using extensions that modify
request or response sizes (CVE-2021-32781)

* istio/istio: HTTP request can bypass authorization mechanisms due to case
insensitive host comparison (CVE-2021-39155)

* istio/istio: HTTP request with fragment in URI can bypass authorization
mechanisms (CVE-2021-39156)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

The OpenShift Service Mesh Release Notes provide information on the
features and
known issues:

https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servi
cemesh-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

1996915 - CVE-2021-39156 istio/istio: HTTP request with fragment in URI can bypass authorization mechanisms
1996929 - CVE-2021-39155 istio/istio: HTTP request can bypass authorization mechanisms due to case insensitive host comparison
1996933 - CVE-2021-32777 envoyproxy/envoy: HTTP request with multiple value headers can bypass authorization policies
1996934 - CVE-2021-32779 envoyproxy/envoy: HTTP request with a URL fragment in the URI can bypass authorization policies
1996935 - CVE-2021-32781 envoyproxy/envoy: denial of service when using extensions that modify request or response sizes

6. Package List:

2.0:

Source:
servicemesh-2.0.7-3.el8.src.rpm
servicemesh-proxy-2.0.7-3.el8.src.rpm

ppc64le:
servicemesh-2.0.7-3.el8.ppc64le.rpm
servicemesh-istioctl-2.0.7-3.el8.ppc64le.rpm
servicemesh-mixc-2.0.7-3.el8.ppc64le.rpm
servicemesh-mixs-2.0.7-3.el8.ppc64le.rpm
servicemesh-pilot-agent-2.0.7-3.el8.ppc64le.rpm
servicemesh-pilot-discovery-2.0.7-3.el8.ppc64le.rpm
servicemesh-proxy-2.0.7-3.el8.ppc64le.rpm

s390x:
servicemesh-2.0.7-3.el8.s390x.rpm
servicemesh-istioctl-2.0.7-3.el8.s390x.rpm
servicemesh-mixc-2.0.7-3.el8.s390x.rpm
servicemesh-mixs-2.0.7-3.el8.s390x.rpm
servicemesh-pilot-agent-2.0.7-3.el8.s390x.rpm
servicemesh-pilot-discovery-2.0.7-3.el8.s390x.rpm
servicemesh-proxy-2.0.7-3.el8.s390x.rpm

x86_64:
servicemesh-2.0.7-3.el8.x86_64.rpm
servicemesh-istioctl-2.0.7-3.el8.x86_64.rpm
servicemesh-mixc-2.0.7-3.el8.x86_64.rpm
servicemesh-mixs-2.0.7-3.el8.x86_64.rpm
servicemesh-pilot-agent-2.0.7-3.el8.x86_64.rpm
servicemesh-pilot-discovery-2.0.7-3.el8.x86_64.rpm
servicemesh-proxy-2.0.7-3.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-32777
https://access.redhat.com/security/cve/CVE-2021-32779
https://access.redhat.com/security/cve/CVE-2021-32781
https://access.redhat.com/security/cve/CVE-2021-39155
https://access.redhat.com/security/cve/CVE-2021-39156
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYSe+eNzjgjWX9erEAQhgHxAApIIizjz5Ah1+9Xm1f/n4a+33VDuORc6s
nG2ZnZW8F5AqE0UQE3TTCZMNHCaiWUR9cO9Tjv89JQzsln6iJ97An5q2fgQjjq3q
0mQJwPCdIwpImSJIemYSUKdvwSmnEERWzf2mFeUKOZLH+tJfFxz1Sj+i5+ao9p3A
G0U4Cbr/orNiZdcv8zslsQM4lFS2NvcgX6K3zqvZIpd5hGUDh7je5j7wA72uifg1
qZXHBa4vehpINC8lmG87sUxvMkwDaIz+PRQ5B/YEUTtdaVyuEc80dJ/xkaN7CTTY
JvvcJMZWyIpSKcJRvLTmmU5+RXZhrCKwQq4vM7KWeYC7aXpZCf1zY7ZS1y0966Xv
Y4l+/tYJVVjPS8wPzNHrOnfSWeCMqYhWJPxmlZxNHcLtjPgp5Sc57XJEKENzRdW9
Be9wEx0qmSxdrH50IC1oGNn0XgFj8gidU9QGpT8Lv2tUBcR+5FPbOzmgLjmazD0e
FamQqPHcPkeFrpG2kuM05VUUmr67l2lAPjzqfRlqWSPkB7MmQMuhbty1B+ZK4k1L
40ct6P7FyxIBUXe3Z4AZWwxxaGkcWuh66dZt7fRZg+LcO8GpKLwfxPTfa3AUGq5b
jYCxQN3SJHBdYVj+HqLL4UztzBKcYXDlXcabtGIyAbTpfFxWkiDtyAvbmyFPSYR1
CH1IPpY27TU=
=lGLC
- -----END PGP SIGNATURE-----


- --------------------------------------------------------------------------------


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 1.1.17.1 security update
Advisory ID:       RHSA-2021:3273-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3273
Issue date:        2021-08-25
CVE Names:         CVE-2021-32777 CVE-2021-32779 CVE-2021-32781 
                   CVE-2021-39155 CVE-2021-39156 
=====================================================================

1. Summary:

An update for servicemesh and servicemesh-proxy is now available for
OpenShift Service Mesh 1.1.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Service Mesh 1.1 - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

Security Fix(es):

* envoyproxy/envoy: HTTP request with multiple value headers can bypass
authorization policies (CVE-2021-32777)

* envoyproxy/envoy: HTTP request with a URL fragment in the URI can bypass
authorization policies (CVE-2021-32779)

* envoyproxy/envoy: denial of service when using extensions that modify
request or response sizes (CVE-2021-32781)

* istio/istio: HTTP request can bypass authorization mechanisms due to case
insensitive host comparison (CVE-2021-39155)

* istio/istio: HTTP request with fragment in URI can bypass authorization
mechanisms (CVE-2021-39156)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

The OpenShift Service Mesh Release Notes provide information on the
features and known issues:

https://docs.openshift.com/container-platform/4.8/service_mesh/v1x/servicem
esh-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

1996915 - CVE-2021-39156 istio/istio: HTTP request with fragment in URI can bypass authorization mechanisms
1996929 - CVE-2021-39155 istio/istio: HTTP request can bypass authorization mechanisms due to case insensitive host comparison
1996933 - CVE-2021-32777 envoyproxy/envoy: HTTP request with multiple value headers can bypass authorization policies
1996934 - CVE-2021-32779 envoyproxy/envoy: HTTP request with a URL fragment in the URI can bypass authorization policies
1996935 - CVE-2021-32781 envoyproxy/envoy: denial of service when using extensions that modify request or response sizes

6. Package List:

OpenShift Service Mesh 1.1:

Source:
servicemesh-1.1.17-3.el8.src.rpm
servicemesh-proxy-1.1.17-2.el8.src.rpm

ppc64le:
servicemesh-1.1.17-3.el8.ppc64le.rpm
servicemesh-citadel-1.1.17-3.el8.ppc64le.rpm
servicemesh-galley-1.1.17-3.el8.ppc64le.rpm
servicemesh-istioctl-1.1.17-3.el8.ppc64le.rpm
servicemesh-mixc-1.1.17-3.el8.ppc64le.rpm
servicemesh-mixs-1.1.17-3.el8.ppc64le.rpm
servicemesh-pilot-agent-1.1.17-3.el8.ppc64le.rpm
servicemesh-pilot-discovery-1.1.17-3.el8.ppc64le.rpm
servicemesh-proxy-1.1.17-2.el8.ppc64le.rpm
servicemesh-sidecar-injector-1.1.17-3.el8.ppc64le.rpm

s390x:
servicemesh-1.1.17-3.el8.s390x.rpm
servicemesh-citadel-1.1.17-3.el8.s390x.rpm
servicemesh-galley-1.1.17-3.el8.s390x.rpm
servicemesh-istioctl-1.1.17-3.el8.s390x.rpm
servicemesh-mixc-1.1.17-3.el8.s390x.rpm
servicemesh-mixs-1.1.17-3.el8.s390x.rpm
servicemesh-pilot-agent-1.1.17-3.el8.s390x.rpm
servicemesh-pilot-discovery-1.1.17-3.el8.s390x.rpm
servicemesh-proxy-1.1.17-2.el8.s390x.rpm
servicemesh-sidecar-injector-1.1.17-3.el8.s390x.rpm

x86_64:
servicemesh-1.1.17-3.el8.x86_64.rpm
servicemesh-citadel-1.1.17-3.el8.x86_64.rpm
servicemesh-galley-1.1.17-3.el8.x86_64.rpm
servicemesh-istioctl-1.1.17-3.el8.x86_64.rpm
servicemesh-mixc-1.1.17-3.el8.x86_64.rpm
servicemesh-mixs-1.1.17-3.el8.x86_64.rpm
servicemesh-pilot-agent-1.1.17-3.el8.x86_64.rpm
servicemesh-pilot-discovery-1.1.17-3.el8.x86_64.rpm
servicemesh-proxy-1.1.17-2.el8.x86_64.rpm
servicemesh-sidecar-injector-1.1.17-3.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-32777
https://access.redhat.com/security/cve/CVE-2021-32779
https://access.redhat.com/security/cve/CVE-2021-32781
https://access.redhat.com/security/cve/CVE-2021-39155
https://access.redhat.com/security/cve/CVE-2021-39156
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYSe+bdzjgjWX9erEAQiCnxAAhhCnoAP2CqALTcBToSNrVQmyZ6V8scU+
mzPAnbj22bThZQbfncKVaHxf8WSqRpWz6c/weIdAsBkfhaChY7zQJcAPZTaJ4sBs
Bb5ltsuQ2Nq82yUV0ciuZG0UiALk/9swL+3QYNphl2UQ0gqFAxkExjIWLZ266MpY
iS5CC4tw9udrLJJJMeHFfjVczFwcoF9FwfdDmLKkiJYN1mGnHtTuPHuFx1QXF8fB
7LyI2EAcvMSw/XMu1tP2NFUCtsUdvb8WPahYup1MJjiCrxqA6g8okmrp0X1+Hnrd
/OfArIIlxbVLyTLOH5T0p2nmT7cD7Tr+MBIdSQ5KlUBlOGc1h8+cttqZ9YcvjIG4
ZhYCPkIoi1Dxi5TwM/WFS13setbX/4u5tGXTEBrUEM6F94rge0P4SJdGBsjsV37Y
DHi0MqLGxyxbEezxBEoOFfPAfY2r18FinfhZFSDzckUNTrbGd+QKofkkFpTovCjG
VzuVwLOH5NljL5OxvAOtNHerfhUN1wMYvahTBAiy9sHSqfsgLFKm8KQem5KHhLBH
0HZUmBRKvANVb5zESmbwZHMEast5Cdykds+16syajNpacO8e4BgmXoKL+9/5h900
gLthPnqigxSSZO2CvYYaHD2zy1R1/ZvRuDiSLcgiNIhvN3BbIvbks8UGnUfZQ2Qs
r8QEZ3nKc20=
=OVUZ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYShTveNLKJtyKPYoAQhAdQ/8DM65aIr7WbQAwy8lUY10yH15fHfxrpkv
n1PFYQNf0mgnuAYE/r+EddiSLJZsEeYoBn87J07EqqNhhDkJOypeLY56uy8nX7D+
CziSlFDnqifHsfRuMUC7t1YUkZvCAyU3cSvIe6cnEAxiBgsjPAy8MqMivrtIo0pI
0lsrMhiT7WQa0a/TnWgXo/ggJvz3t36D61BxZ0Q4/HLQH+h9ZFrLCCCV9dOHZFYr
yptlXyrwDw3DnMZybLz8FaBAWMVJTAWKrfFMNS1fhj/o6KQrVK7MGIBQj0weNrkf
BOduXn4jjgQaxEIEx9Wfs8GCeehld2nd6t03BMqHejFyhyxsWshGUryTJhTyoXi0
GLlL19BYIoSkyZPB/8RHPKaY6RnK1ei21S+YMz9TmiWHgmPHZWiABEfzrs+jiFPP
DIz5NQpJ6H/VT9fmErr3hXpwLSSZkfdvRgbHIo2V/0GAUhyzNqdyh1/zBdFXF9xU
VsazEi9Cwd+NpfjXSkAtEqsLWjndbZXq5Ow+cACo5Xjfd/O4uvKKAhBhzcNynI2e
wrXPCG6ufGoxUMrzVtoGUBaZqNdoS0TfW8MOqu/iOb/fOWXZG0zMo3A2qlUU31oD
J/2beCaexJIt2xO/gg8ojUusqax73nIoMMcTpMpSUuMpgoETFDG3S0h6WE9gZ7YQ
o1eFZ7Ng8iY=
=SfND
-----END PGP SIGNATURE-----