[RHSA-2023:5175-01] Important: Red Hat OpenShift Service Mesh 2.2.10 security update
Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift Service Mesh 2.2.10 security update
Advisory ID: RHSA-2023:5175-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5175
Issue date: 2023-09-14
CVE Names: CVE-2016-3709 CVE-2020-24736 CVE-2023-1667
CVE-2023-2283 CVE-2023-2602 CVE-2023-2603
CVE-2023-3899 CVE-2023-26604 CVE-2023-27536
CVE-2023-28321 CVE-2023-28484 CVE-2023-29469
CVE-2023-32681 CVE-2023-34969 CVE-2023-35941
Red Hat OpenShift Service Mesh 2.2.10
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an OpenShift Container
* envoy: OAuth2 credentials exploit with permanent validity
* envoy: Incorrect handling of HTTP requests and responses with mixed case
* envoy: HTTP/2 memory leak in nghttp2 codec (CVE-2023-35945)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
4. Bugs fixed ( https://bugzilla.redhat.com/):
2217977 - CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity
2217983 - CVE-2023-35945 envoy: HTTP/2 memory leak in nghttp2 codec
2217985 - CVE-2023-35944 envoy: Incorrect handling of HTTP requests and responses with mixed case schemes
5. JIRA issues fixed ( https://issues.redhat.com/):
OSSM-4799 - Kiali base-image update for OSSM 2.2.10
The Red Hat security contact is [firstname.lastname@example.org]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
A Red Hat OpenShift Service Mesh 2.2.10 security update has been released.