-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 1.0 servicemesh-grafana security update
Advisory ID:       RHSA-2020:2861-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2861
Issue date:        2020-07-07
CVE Names:         CVE-2019-11253 CVE-2020-7660 CVE-2020-7662 
                   CVE-2020-12052 CVE-2020-12245 CVE-2020-13379 
                   CVE-2020-13430 
====================================================================
1. Summary:

An update for servicemesh-grafana is now available for OpenShift Service
Mesh 1.0.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Service Mesh 1.0 - x86_64

3. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

Security Fix(es):

* kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing
for remote denial of service (CVE-2019-11253)

* grafana: SSRF incorrect access control vulnerability allows
unauthenticated users to make grafana send HTTP requests to any URL
(CVE-2020-13379)

* npm-serialize-javascript: allows remote attackers to inject arbitrary
code via the function deleteFunctions within index.js (CVE-2020-7660)

* npmjs-websocket-extensions: ReDoS vulnerability in
Sec-WebSocket-Extensions parser (CVE-2020-7662)

* grafana: XSS annotation popup vulnerability (CVE-2020-12052)

* grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)

* grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

The OpenShift Service Mesh release notes provide information on the
features and
known issues:


5. Bugs fixed (https://bugzilla.redhat.com/):

1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service
1843640 - CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL
1844228 - CVE-2020-7660 npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js
1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability
1848108 - CVE-2020-13430 grafana: XSS via the OpenTSDB datasource
1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip

6. Package List:

OpenShift Service Mesh 1.0:

Source:
servicemesh-grafana-6.2.2-38.el8.src.rpm

x86_64:
servicemesh-grafana-6.2.2-38.el8.x86_64.rpm
servicemesh-grafana-prometheus-6.2.2-38.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-11253
https://access.redhat.com/security/cve/CVE-2020-7660
https://access.redhat.com/security/cve/CVE-2020-7662
https://access.redhat.com/security/cve/CVE-2020-12052
https://access.redhat.com/security/cve/CVE-2020-12245
https://access.redhat.com/security/cve/CVE-2020-13379
https://access.redhat.com/security/cve/CVE-2020-13430
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXwTOzNzjgjWX9erEAQif0g//cijwIyYajqLB21iHkI6HJWV1C7uwNxEF
8zYiTHREsdB5P5U5DIAmS9quSO3z+uE+BNX0LnDUW/VecqL9sGU1WITZmH3aKrHN
B+leyudXVF5ZEm6w7CmkRFRamzopo9y1Riluwaiu7OYBFpSRGmk8njp+3J0iisIl
tPliHPle35KRNnU170G3dZwKSEfvefJ0NK8lXItji+tVV1W7RjCbH1N6tPk+f308
zKTylTmlU1SVNnBbcoicfHuzE0QpUUNzKFF3QeEUvEuB8B+gL432QijXaoazESkR
Ky1MRk7EDDJc9opcIvbaNy4NRC9cnOyS2ms3G3uoQMIiPHENmRURrQl0BKAUtuEF
hwvGawha+SscSygnMpruhpKZVti1RPRhPjR27HPbRGfacrZMeZxabLuRdzZmJ0p1
gneurtguBsFWj3WODtD/8Hmdpl0dmBSf7OWa6p5hge2vvomRYFjh71bgRBJ5zEFe
Do9OBQBxE+Gm6sI7zm15HatjF+uHLg2PTS37JtzrKkki3LHxe8SDnCTW0nzAvXoE
//70S6ruDr5yNX/O/lmmEaq07OZ3NOKADr/qijGscnmQTJl1b0mNG67W1NAM7sPf
54z34hAZgNZxcaAA3dZzR3vacdvI9Su4k1q4wBVnd7adZ64Qv+p3thrTQYtA5xoR
TqE9uaAoJ+Q=QhKA
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-2861:01 Important: Red Hat OpenShift Service Mesh 1.0

An update for servicemesh-grafana is now available for OpenShift Service Mesh 1.0

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
Security Fix(es):
* kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service (CVE-2019-11253)
* grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL (CVE-2020-13379)
* npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js (CVE-2020-7660)
* npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)
* grafana: XSS annotation popup vulnerability (CVE-2020-12052)
* grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)
* grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

The OpenShift Service Mesh release notes provide information on the features and known issues:

References

https://access.redhat.com/security/cve/CVE-2019-11253 https://access.redhat.com/security/cve/CVE-2020-7660 https://access.redhat.com/security/cve/CVE-2020-7662 https://access.redhat.com/security/cve/CVE-2020-12052 https://access.redhat.com/security/cve/CVE-2020-12245 https://access.redhat.com/security/cve/CVE-2020-13379 https://access.redhat.com/security/cve/CVE-2020-13430 https://access.redhat.com/security/updates/classification/#important

Package List

OpenShift Service Mesh 1.0:
Source: servicemesh-grafana-6.2.2-38.el8.src.rpm
x86_64: servicemesh-grafana-6.2.2-38.el8.x86_64.rpm servicemesh-grafana-prometheus-6.2.2-38.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2020:2861-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2861
Issued Date: : 2020-07-07
CVE Names: CVE-2019-11253 CVE-2020-7660 CVE-2020-7662 CVE-2020-12052 CVE-2020-12245 CVE-2020-13379 CVE-2020-13430

Topic

An update for servicemesh-grafana is now available for OpenShift ServiceMesh 1.0.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

OpenShift Service Mesh 1.0 - x86_64


Bugs Fixed

1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service

1843640 - CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL

1844228 - CVE-2020-7660 npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js

1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser

1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability

1848108 - CVE-2020-13430 grafana: XSS via the OpenTSDB datasource

1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved