Executive Summary

Summary
Title Red Hat OpenShift Service Mesh 1.0.9 servicemesh-proxy security update
Informations
Name RHSA-2020:0734 First vendor Publication 2020-03-05
Vendor RedHat Last vendor Modification 2020-03-05
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 9.8
Base Score 9.8 Environmental Score 9.8
impact SubScore 5.9 Temporal Score 9.8
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Red Hat OpenShift Service Mesh 1.0.9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Service Mesh 1.0 - x86_64

3. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

Security Fix(es):

* envoy: Excessive CPU and/or memory usage when proxying HTTP/1.1 (CVE-2020-8659)

* envoy: TLS inspector bypassc (CVE-2020-8660)

* envoy: Response flooding for HTTP/1.1 (CVE-2020-8661)

* envoy: Incorrect Access Control when using SDS with Combined Validation Context (CVE-2020-8664)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

4. Solution:

The OpenShift Service Mesh release notes provide information on the features and known issues:

https://docs.openshift.com/container-platform/4.3/service_mesh/servicemesh- release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

1802539 - CVE-2020-8659 envoy: Excessive CPU and/or memory usage when proxying HTTP/1.1 1802540 - CVE-2020-8661 envoy: Response flooding for HTTP/1.1 1802542 - CVE-2020-8664 envoy: Incorrect Access Control when using SDS with Combined Validation Context 1802545 - CVE-2020-8660 envoy: TLS inspector bypassc

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2020-0734.html

CWE : Common Weakness Enumeration

% Id Name
25 % CWE-770 Allocation of Resources Without Limits or Throttling
25 % CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
25 % CWE-345 Insufficient Verification of Data Authenticity
25 % CWE-287 Improper Authentication

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 18
Application 2
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2020-05-23 13:03:45
  • Multiple Updates
2020-03-19 13:20:05
  • First insertion