-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2714
Red Hat OpenShift Service Mesh security update
7 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat OpenShift Service Mesh
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Red Hat Enterprise Linux Server 8
Red Hat Enterprise Linux WS/Desktop 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14040 CVE-2020-12666 CVE-2020-11023
CVE-2020-9283 CVE-2020-8203
Reference: ESB-2020.2575
ESB-2020.2517
ESB-2020.2375
ESB-2020.2287
ESB-2020.1961
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:3369
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat OpenShift Service Mesh security update
Advisory ID: RHSA-2020:3369-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3369
Issue date: 2020-08-06
CVE Names: CVE-2020-8203 CVE-2020-9283 CVE-2020-11023
CVE-2020-12666 CVE-2020-14040
=====================================================================
1. Summary:
An update is now available for OpenShift Service Mesh 1.1.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
OpenShift Service Mesh 1.1 - x86_64
Red Hat OpenShift Service Mesh 1.1 - x86_64
3. Description:
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.
Security Fix(es):
* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows
for panic (CVE-2020-9283)
* nodejs-lodash: prototype pollution in zipObjectDeep function
(CVE-2020-8203)
* jQuery: passing HTML containing elements to manipulation methods
could result in untrusted code execution (CVE-2020-11023)
* macaron: open redirect in the static handler (CVE-2020-12666)
* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
1850004 - CVE-2020-11023 jQuery: passing HTML containing elements to manipulation methods could result in untrusted code execution
1850034 - CVE-2020-12666 macaron: open redirect in the static handler
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
6. Package List:
Red Hat OpenShift Service Mesh 1.1:
Source:
kiali-v1.12.10.redhat2-1.el7.src.rpm
x86_64:
kiali-v1.12.10.redhat2-1.el7.x86_64.rpm
OpenShift Service Mesh 1.1:
Source:
ior-1.1.6-1.el8.src.rpm
servicemesh-1.1.6-1.el8.src.rpm
servicemesh-cni-1.1.6-1.el8.src.rpm
servicemesh-grafana-6.4.3-13.el8.src.rpm
servicemesh-operator-1.1.6-2.el8.src.rpm
servicemesh-prometheus-2.14.0-14.el8.src.rpm
x86_64:
ior-1.1.6-1.el8.x86_64.rpm
servicemesh-1.1.6-1.el8.x86_64.rpm
servicemesh-citadel-1.1.6-1.el8.x86_64.rpm
servicemesh-cni-1.1.6-1.el8.x86_64.rpm
servicemesh-galley-1.1.6-1.el8.x86_64.rpm
servicemesh-grafana-6.4.3-13.el8.x86_64.rpm
servicemesh-grafana-prometheus-6.4.3-13.el8.x86_64.rpm
servicemesh-istioctl-1.1.6-1.el8.x86_64.rpm
servicemesh-mixc-1.1.6-1.el8.x86_64.rpm
servicemesh-mixs-1.1.6-1.el8.x86_64.rpm
servicemesh-operator-1.1.6-2.el8.x86_64.rpm
servicemesh-pilot-agent-1.1.6-1.el8.x86_64.rpm
servicemesh-pilot-discovery-1.1.6-1.el8.x86_64.rpm
servicemesh-prometheus-2.14.0-14.el8.x86_64.rpm
servicemesh-sidecar-injector-1.1.6-1.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-8203
https://access.redhat.com/security/cve/CVE-2020-9283
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/cve/CVE-2020-12666
https://access.redhat.com/security/cve/CVE-2020-14040
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXyxlxtzjgjWX9erEAQhclg/9EnxiLQNfrShlYbIMVx2JN4/4KbHJ3Dpp
I2gHNeTC4SraZTTYo8NTitoQZO9GduCythbyBPKoH+jJC7qwZ9dIMPMJMjPtACNf
5ci4QbhTf/HNMntoEpvtvLIql6im1fEPjFE8+CY1cb1ChjsALgLqdB+OaALAGA5D
XKj/ezACrGHtMpjG1e7o1dOTK/y/F9c1Flb9KbackwjXCRHVMaiMiWKF5Emxpq8k
+YAk6CoGiq/HUuldvbq/ZK9ZNkEy7z5pamV39OWEFvTzZyCTejoBIbots4rLaSvh
xZQEwGGNY6Y86zirpiTrercZiIgyoEH0f5c3nXodC4u7QPPYy29nyN1DW1zgfpOZ
1vHHXH1bqIo8lkZnXFL/eFgtdn6QEuxUQSj+YaE39sq0VkDthhSEc6rHRZErxdFL
TAKIFy1K96A5zs9mixiL+ATG5ZFlGKGdOqxW450cPSCoJBe1Y2DOUJzULfw4ikjg
cqsLjzPHTUOoBaAzdBas4KF2OiLvU28YfeBRP4y/mWElSKTt3zkerrzvBHr0kKeT
MgSBpbnLU3rE5VUwu9ir0KyiIQmFT8/NN6erEsLw0+gtceI7GRpDv3b3TZA38p9v
itxqoq5R+xA3Ar1MFLBad7um78FElw4r6qQx5VEcQuZ3Jfx5NXQnQhcTX+k/QvT7
IpvJsEUV9VY=
=TiBu
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXyzkIONLKJtyKPYoAQgs0g//bE4np9u1AWGbOtMeGWkTCIFMU1uTdQ6V
raAMYkFMxShVSPMiVCaj7VH4SPVwSHwMcElLsXH1XrOU7zQ5dOmp6i31BKU9JnAP
qa4dhorW2V+MopsaOUblMctPMl0KvLnCpq2CerXnvUdU3O4MG37u7PezJG8vb/y7
X7H5AAM0tRQKfD1UOOLuLp/cy7fhp/xKwZrJPJt4C3QHNHWhLWentePotS4T3S7I
0k1mvnIgH3N91U85Lf3seIG83/gdDK1KmKrUXWNbQdKxpaVfjazInSJjv2nGHCPR
M3IxRVVlz0vHvuavinW66zHoUyjjYT/VRVUs/IRY6zTEcS7heZMwPgm0fTfEkzvy
DNV3VzoLvOeEVHGSuOneNmOunB2ko/GNxO1yJHcoDP3BJOPh/1U5TDlUc1To0vbe
kE6lm/jewwNKkrDrjPExaIP/vCyCelgD0O1zgT39kuL8Aa5/FHmf9K2BeMFWUJg2
4kVWpQHHV1khMJWpEw8s3bdHnnSQ2EkwM8lTx6jsjnQKxNM6mNDD/wyvKNXjTO7k
ah/e73RkaAjIkrqlY/xbbK2AX/061USr5nQ/ps7U6RElN0/A2TBc19IJZqkQIW3O
7KnJemn1DTtfMeND8Ui7HfSliluryu8UE4uklZzZmx2Hlfp110ZYg5svfOiaYfjI
aP97WdVXYsU=
=PSSi
-----END PGP SIGNATURE-----
https://www.malwaredevil.com/2020/08/07/esb-2020-2714-redhat-red-hat-openshift-service-mesh-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2714-redhat-red-hat-openshift-service-mesh-multiple-vulnerabilities
No comments:
Post a Comment