RHSA-2020:2861: Important: Red Hat OpenShift Service Mesh 1.0 servicemesh-grafana security update
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.<br>Security Fix(es):<br><li> kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service (CVE-2019-11253)</li> <li> grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL (CVE-2020-13379)</li> <li> npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js (CVE-2020-7660)</li> <li> npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)</li> <li> grafana: XSS annotation popup vulnerability (CVE-2020-12052)</li> <li> grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)</li> <li> grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2020:2861?
The severity of RHSA-2020:2861 is classified as important.
What are the affected software packages for RHSA-2020:2861?
The affected software packages include servicemesh-grafana and servicemesh-grafana-prometheus in version 6.2.2-38.el8.
How do I fix RHSA-2020:2861?
To fix RHSA-2020:2861, update the affected packages to version 6.2.2-38.el8.
What vulnerability does RHSA-2020:2861 address?
RHSA-2020:2861 addresses a YAML parsing vulnerability that is susceptible to the 'Billion Laughs' attack.
Is there a workaround for RHSA-2020:2861?
There is no official workaround for RHSA-2020:2861, and updating is the recommended course of action.