Detections
Analytics
RHEL 8 : Red Hat OpenShift Service Mesh 2.1.2 (RHSA-2022:1275)
critical Nessus Plugin ID 159596
Language:
Synopsis
The remote Red Hat host is missing one or more security updates for Red Hat OpenShift Service Mesh 2.1.2.Description
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1275 advisory.Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
* envoy: Incorrect configuration handling allows mTLS session re-use without re-validation (CVE-2022-21654)
* envoy: Incorrect handling of internal redirects to routes with a direct response entry (CVE-2022-21655)
* istio: Unauthenticated control plane denial of service attack due to stack exhaustion (CVE-2022-24726)
* envoy: Null pointer dereference when using JWT filter safe_regex match (CVE-2021-43824)
* envoy: Use-after-free when response filters increase response data (CVE-2021-43825)
* envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826)
* envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service (CVE-2022-23606)
* istio: unauthenticated control plane denial of service attack (CVE-2022-23635)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the RHEL Red Hat OpenShift Service Mesh 2.1.2 package based on the guidance in RHSA-2022:1275.See Also
http://www.nessus.org/u?9f3a2912
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/errata/RHSA-2022:1275
https://bugzilla.redhat.com/show_bug.cgi?id=2050744
https://bugzilla.redhat.com/show_bug.cgi?id=2050746
https://bugzilla.redhat.com/show_bug.cgi?id=2050748
https://bugzilla.redhat.com/show_bug.cgi?id=2050753
https://bugzilla.redhat.com/show_bug.cgi?id=2050757
https://bugzilla.redhat.com/show_bug.cgi?id=2050758
https://bugzilla.redhat.com/show_bug.cgi?id=2057277
https://bugzilla.redhat.com/show_bug.cgi?id=2061638
https://issues.redhat.com/browse/OSSM-1074
Plugin Details
Severity: Critical
ID: 159596
File Name: redhat-RHSA-2022-1275.nasl
Version: 1.9
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 4/8/2022
Updated: 11/7/2024
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
Vendor
Vendor Severity: Important
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2022-21654
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:servicemesh-cni, p-cpe:/a:redhat:enterprise_linux:servicemesh-proxy, p-cpe:/a:redhat:enterprise_linux:servicemesh-pilot-discovery, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:servicemesh, p-cpe:/a:redhat:enterprise_linux:servicemesh-proxy-wasm, p-cpe:/a:redhat:enterprise_linux:servicemesh-pilot-agent
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Ease: No known exploits are available
Patch Publication Date: 4/7/2022
Vulnerability Publication Date: 2/22/2022
Reference Information
CVE: CVE-2021-43824, CVE-2021-43825, CVE-2021-43826, CVE-2022-21654, CVE-2022-21655, CVE-2022-23606, CVE-2022-23635, CVE-2022-24726