Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2906 Red Hat OpenShift Service Mesh security update 27 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenShift Service Mesh Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-39156 CVE-2021-39155 CVE-2021-32781 CVE-2021-32779 CVE-2021-32777 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:3272 https://access.redhat.com/errata/RHSA-2021:3273 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Service Mesh 2.0.7.1 security update Advisory ID: RHSA-2021:3272-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2021:3272 Issue date: 2021-08-25 CVE Names: CVE-2021-32777 CVE-2021-32779 CVE-2021-32781 CVE-2021-39155 CVE-2021-39156 ===================================================================== 1. Summary: An update for servicemesh and servicemesh-proxy is now available for OpenShift Service Mesh 2.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: 2.0 - ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Security Fix(es): * envoyproxy/envoy: HTTP request with multiple value headers can bypass authorization policies (CVE-2021-32777) * envoyproxy/envoy: HTTP request with a URL fragment in the URI can bypass authorization policies (CVE-2021-32779) * envoyproxy/envoy: denial of service when using extensions that modify request or response sizes (CVE-2021-32781) * istio/istio: HTTP request can bypass authorization mechanisms due to case insensitive host comparison (CVE-2021-39155) * istio/istio: HTTP request with fragment in URI can bypass authorization mechanisms (CVE-2021-39156) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: The OpenShift Service Mesh Release Notes provide information on the features and known issues: https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servi cemesh-release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1996915 - CVE-2021-39156 istio/istio: HTTP request with fragment in URI can bypass authorization mechanisms 1996929 - CVE-2021-39155 istio/istio: HTTP request can bypass authorization mechanisms due to case insensitive host comparison 1996933 - CVE-2021-32777 envoyproxy/envoy: HTTP request with multiple value headers can bypass authorization policies 1996934 - CVE-2021-32779 envoyproxy/envoy: HTTP request with a URL fragment in the URI can bypass authorization policies 1996935 - CVE-2021-32781 envoyproxy/envoy: denial of service when using extensions that modify request or response sizes 6. Package List: 2.0: Source: servicemesh-2.0.7-3.el8.src.rpm servicemesh-proxy-2.0.7-3.el8.src.rpm ppc64le: servicemesh-2.0.7-3.el8.ppc64le.rpm servicemesh-istioctl-2.0.7-3.el8.ppc64le.rpm servicemesh-mixc-2.0.7-3.el8.ppc64le.rpm servicemesh-mixs-2.0.7-3.el8.ppc64le.rpm servicemesh-pilot-agent-2.0.7-3.el8.ppc64le.rpm servicemesh-pilot-discovery-2.0.7-3.el8.ppc64le.rpm servicemesh-proxy-2.0.7-3.el8.ppc64le.rpm s390x: servicemesh-2.0.7-3.el8.s390x.rpm servicemesh-istioctl-2.0.7-3.el8.s390x.rpm servicemesh-mixc-2.0.7-3.el8.s390x.rpm servicemesh-mixs-2.0.7-3.el8.s390x.rpm servicemesh-pilot-agent-2.0.7-3.el8.s390x.rpm servicemesh-pilot-discovery-2.0.7-3.el8.s390x.rpm servicemesh-proxy-2.0.7-3.el8.s390x.rpm x86_64: servicemesh-2.0.7-3.el8.x86_64.rpm servicemesh-istioctl-2.0.7-3.el8.x86_64.rpm servicemesh-mixc-2.0.7-3.el8.x86_64.rpm servicemesh-mixs-2.0.7-3.el8.x86_64.rpm servicemesh-pilot-agent-2.0.7-3.el8.x86_64.rpm servicemesh-pilot-discovery-2.0.7-3.el8.x86_64.rpm servicemesh-proxy-2.0.7-3.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-32777 https://access.redhat.com/security/cve/CVE-2021-32779 https://access.redhat.com/security/cve/CVE-2021-32781 https://access.redhat.com/security/cve/CVE-2021-39155 https://access.redhat.com/security/cve/CVE-2021-39156 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYSe+eNzjgjWX9erEAQhgHxAApIIizjz5Ah1+9Xm1f/n4a+33VDuORc6s nG2ZnZW8F5AqE0UQE3TTCZMNHCaiWUR9cO9Tjv89JQzsln6iJ97An5q2fgQjjq3q 0mQJwPCdIwpImSJIemYSUKdvwSmnEERWzf2mFeUKOZLH+tJfFxz1Sj+i5+ao9p3A G0U4Cbr/orNiZdcv8zslsQM4lFS2NvcgX6K3zqvZIpd5hGUDh7je5j7wA72uifg1 qZXHBa4vehpINC8lmG87sUxvMkwDaIz+PRQ5B/YEUTtdaVyuEc80dJ/xkaN7CTTY JvvcJMZWyIpSKcJRvLTmmU5+RXZhrCKwQq4vM7KWeYC7aXpZCf1zY7ZS1y0966Xv Y4l+/tYJVVjPS8wPzNHrOnfSWeCMqYhWJPxmlZxNHcLtjPgp5Sc57XJEKENzRdW9 Be9wEx0qmSxdrH50IC1oGNn0XgFj8gidU9QGpT8Lv2tUBcR+5FPbOzmgLjmazD0e FamQqPHcPkeFrpG2kuM05VUUmr67l2lAPjzqfRlqWSPkB7MmQMuhbty1B+ZK4k1L 40ct6P7FyxIBUXe3Z4AZWwxxaGkcWuh66dZt7fRZg+LcO8GpKLwfxPTfa3AUGq5b jYCxQN3SJHBdYVj+HqLL4UztzBKcYXDlXcabtGIyAbTpfFxWkiDtyAvbmyFPSYR1 CH1IPpY27TU= =lGLC - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Service Mesh 1.1.17.1 security update Advisory ID: RHSA-2021:3273-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2021:3273 Issue date: 2021-08-25 CVE Names: CVE-2021-32777 CVE-2021-32779 CVE-2021-32781 CVE-2021-39155 CVE-2021-39156 ===================================================================== 1. Summary: An update for servicemesh and servicemesh-proxy is now available for OpenShift Service Mesh 1.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Service Mesh 1.1 - ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Security Fix(es): * envoyproxy/envoy: HTTP request with multiple value headers can bypass authorization policies (CVE-2021-32777) * envoyproxy/envoy: HTTP request with a URL fragment in the URI can bypass authorization policies (CVE-2021-32779) * envoyproxy/envoy: denial of service when using extensions that modify request or response sizes (CVE-2021-32781) * istio/istio: HTTP request can bypass authorization mechanisms due to case insensitive host comparison (CVE-2021-39155) * istio/istio: HTTP request with fragment in URI can bypass authorization mechanisms (CVE-2021-39156) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: The OpenShift Service Mesh Release Notes provide information on the features and known issues: https://docs.openshift.com/container-platform/4.8/service_mesh/v1x/servicem esh-release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1996915 - CVE-2021-39156 istio/istio: HTTP request with fragment in URI can bypass authorization mechanisms 1996929 - CVE-2021-39155 istio/istio: HTTP request can bypass authorization mechanisms due to case insensitive host comparison 1996933 - CVE-2021-32777 envoyproxy/envoy: HTTP request with multiple value headers can bypass authorization policies 1996934 - CVE-2021-32779 envoyproxy/envoy: HTTP request with a URL fragment in the URI can bypass authorization policies 1996935 - CVE-2021-32781 envoyproxy/envoy: denial of service when using extensions that modify request or response sizes 6. Package List: OpenShift Service Mesh 1.1: Source: servicemesh-1.1.17-3.el8.src.rpm servicemesh-proxy-1.1.17-2.el8.src.rpm ppc64le: servicemesh-1.1.17-3.el8.ppc64le.rpm servicemesh-citadel-1.1.17-3.el8.ppc64le.rpm servicemesh-galley-1.1.17-3.el8.ppc64le.rpm servicemesh-istioctl-1.1.17-3.el8.ppc64le.rpm servicemesh-mixc-1.1.17-3.el8.ppc64le.rpm servicemesh-mixs-1.1.17-3.el8.ppc64le.rpm servicemesh-pilot-agent-1.1.17-3.el8.ppc64le.rpm servicemesh-pilot-discovery-1.1.17-3.el8.ppc64le.rpm servicemesh-proxy-1.1.17-2.el8.ppc64le.rpm servicemesh-sidecar-injector-1.1.17-3.el8.ppc64le.rpm s390x: servicemesh-1.1.17-3.el8.s390x.rpm servicemesh-citadel-1.1.17-3.el8.s390x.rpm servicemesh-galley-1.1.17-3.el8.s390x.rpm servicemesh-istioctl-1.1.17-3.el8.s390x.rpm servicemesh-mixc-1.1.17-3.el8.s390x.rpm servicemesh-mixs-1.1.17-3.el8.s390x.rpm servicemesh-pilot-agent-1.1.17-3.el8.s390x.rpm servicemesh-pilot-discovery-1.1.17-3.el8.s390x.rpm servicemesh-proxy-1.1.17-2.el8.s390x.rpm servicemesh-sidecar-injector-1.1.17-3.el8.s390x.rpm x86_64: servicemesh-1.1.17-3.el8.x86_64.rpm servicemesh-citadel-1.1.17-3.el8.x86_64.rpm servicemesh-galley-1.1.17-3.el8.x86_64.rpm servicemesh-istioctl-1.1.17-3.el8.x86_64.rpm servicemesh-mixc-1.1.17-3.el8.x86_64.rpm servicemesh-mixs-1.1.17-3.el8.x86_64.rpm servicemesh-pilot-agent-1.1.17-3.el8.x86_64.rpm servicemesh-pilot-discovery-1.1.17-3.el8.x86_64.rpm servicemesh-proxy-1.1.17-2.el8.x86_64.rpm servicemesh-sidecar-injector-1.1.17-3.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-32777 https://access.redhat.com/security/cve/CVE-2021-32779 https://access.redhat.com/security/cve/CVE-2021-32781 https://access.redhat.com/security/cve/CVE-2021-39155 https://access.redhat.com/security/cve/CVE-2021-39156 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYSe+bdzjgjWX9erEAQiCnxAAhhCnoAP2CqALTcBToSNrVQmyZ6V8scU+ mzPAnbj22bThZQbfncKVaHxf8WSqRpWz6c/weIdAsBkfhaChY7zQJcAPZTaJ4sBs Bb5ltsuQ2Nq82yUV0ciuZG0UiALk/9swL+3QYNphl2UQ0gqFAxkExjIWLZ266MpY iS5CC4tw9udrLJJJMeHFfjVczFwcoF9FwfdDmLKkiJYN1mGnHtTuPHuFx1QXF8fB 7LyI2EAcvMSw/XMu1tP2NFUCtsUdvb8WPahYup1MJjiCrxqA6g8okmrp0X1+Hnrd /OfArIIlxbVLyTLOH5T0p2nmT7cD7Tr+MBIdSQ5KlUBlOGc1h8+cttqZ9YcvjIG4 ZhYCPkIoi1Dxi5TwM/WFS13setbX/4u5tGXTEBrUEM6F94rge0P4SJdGBsjsV37Y DHi0MqLGxyxbEezxBEoOFfPAfY2r18FinfhZFSDzckUNTrbGd+QKofkkFpTovCjG VzuVwLOH5NljL5OxvAOtNHerfhUN1wMYvahTBAiy9sHSqfsgLFKm8KQem5KHhLBH 0HZUmBRKvANVb5zESmbwZHMEast5Cdykds+16syajNpacO8e4BgmXoKL+9/5h900 gLthPnqigxSSZO2CvYYaHD2zy1R1/ZvRuDiSLcgiNIhvN3BbIvbks8UGnUfZQ2Qs r8QEZ3nKc20= =OVUZ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYShTveNLKJtyKPYoAQhAdQ/8DM65aIr7WbQAwy8lUY10yH15fHfxrpkv n1PFYQNf0mgnuAYE/r+EddiSLJZsEeYoBn87J07EqqNhhDkJOypeLY56uy8nX7D+ CziSlFDnqifHsfRuMUC7t1YUkZvCAyU3cSvIe6cnEAxiBgsjPAy8MqMivrtIo0pI 0lsrMhiT7WQa0a/TnWgXo/ggJvz3t36D61BxZ0Q4/HLQH+h9ZFrLCCCV9dOHZFYr yptlXyrwDw3DnMZybLz8FaBAWMVJTAWKrfFMNS1fhj/o6KQrVK7MGIBQj0weNrkf BOduXn4jjgQaxEIEx9Wfs8GCeehld2nd6t03BMqHejFyhyxsWshGUryTJhTyoXi0 GLlL19BYIoSkyZPB/8RHPKaY6RnK1ei21S+YMz9TmiWHgmPHZWiABEfzrs+jiFPP DIz5NQpJ6H/VT9fmErr3hXpwLSSZkfdvRgbHIo2V/0GAUhyzNqdyh1/zBdFXF9xU VsazEi9Cwd+NpfjXSkAtEqsLWjndbZXq5Ow+cACo5Xjfd/O4uvKKAhBhzcNynI2e wrXPCG6ufGoxUMrzVtoGUBaZqNdoS0TfW8MOqu/iOb/fOWXZG0zMo3A2qlUU31oD J/2beCaexJIt2xO/gg8ojUusqax73nIoMMcTpMpSUuMpgoETFDG3S0h6WE9gZ7YQ o1eFZ7Ng8iY= =SfND -----END PGP SIGNATURE-----