Red Hat Security Advisory 2024-0204-03 - Red Hat OpenShift Container Platform release 4.14.9 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0204.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.14.9 bug fix and security update  
Advisory ID:        RHSA-2024:0204-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0204  
Issue date:         2024-01-20  
Revision:           03  
CVE Names:          CVE-2023-45142  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.9 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.9. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:0207

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45142

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://issues.redhat.com/browse/OCPBUGS-19431  
https://issues.redhat.com/browse/OCPBUGS-22360  
https://issues.redhat.com/browse/OCPBUGS-22788  
https://issues.redhat.com/browse/OCPBUGS-22895  
https://issues.redhat.com/browse/OCPBUGS-23936  
https://issues.redhat.com/browse/OCPBUGS-24037  
https://issues.redhat.com/browse/OCPBUGS-24640  
https://issues.redhat.com/browse/OCPBUGS-25595  
https://issues.redhat.com/browse/OCPBUGS-25804  
https://issues.redhat.com/browse/OCPBUGS-25997  
https://issues.redhat.com/browse/OCPBUGS-26006  
https://issues.redhat.com/browse/OCPBUGS-26044  
https://issues.redhat.com/browse/OCPBUGS-26065  
https://issues.redhat.com/browse/OCPBUGS-26171  
https://issues.redhat.com/browse/OCPBUGS-26207  
https://issues.redhat.com/browse/OCPBUGS-26214  
https://issues.redhat.com/browse/OCPBUGS-26421

Red Hat Security Advisory 2024-0204-03

Red Hat Security Advisory 2024-0198-03 - Red Hat OpenShift Container Platform release 4.12.47 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0198.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.12.47 security update  
Advisory ID:        RHSA-2024:0198-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0198  
Issue date:         2024-01-20  
Revision:           03  
CVE Names:          CVE-2022-41723  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.47 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-41723

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2178358  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-17370  
https://issues.redhat.com/browse/OCPBUGS-22091  
https://issues.redhat.com/browse/OCPBUGS-22431  
https://issues.redhat.com/browse/OCPBUGS-22689  
https://issues.redhat.com/browse/OCPBUGS-23184  
https://issues.redhat.com/browse/OCPBUGS-23302  
https://issues.redhat.com/browse/OCPBUGS-23486  
https://issues.redhat.com/browse/OCPBUGS-24256  
https://issues.redhat.com/browse/OCPBUGS-24480  
https://issues.redhat.com/browse/OCPBUGS-25213  
https://issues.redhat.com/browse/OCPBUGS-25214  
https://issues.redhat.com/browse/OCPBUGS-25303  
https://issues.redhat.com/browse/OCPBUGS-25642

Red Hat Security Advisory 2024-0198-03

Red Hat Security Advisory 2024-0193-03 - An update is now available for Red Hat OpenShift Container Platform 4.13.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0193.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.29 bug fix and security update  
Advisory ID:        RHSA-2024:0193-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0193  
Issue date:         2024-01-20  
Revision:           03  
CVE Names:          CVE-2021-20329  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.29. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:0195

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* mongo-go-driver: specific cstrings input may not be properly validated (CVE-2021-20329)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2021-20329

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1971033  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-19658  
https://issues.redhat.com/browse/OCPBUGS-23483  
https://issues.redhat.com/browse/OCPBUGS-25988

Red Hat Security Advisory 2024-0193-03

Red Hat Security Advisory 2024-0304-03 - Updated images are now available for Red Hat Advanced Cluster Security 3.74. The updated images includes bug and security fixes.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0304.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: RHACS 3.74 enhancement and security update  
Advisory ID:        RHSA-2024:0304-03  
Product:            Red Hat Advanced Cluster Security for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0304  
Issue date:         2024-01-19  
Revision:           03  
CVE Names:          CVE-2023-5868  
====================================================================

Summary: 

Updated images are now available for Red Hat Advanced Cluster Security 3.74. The updated images includes bug and security fixes.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This release of RHACS 3.74.8 provides the following changes:

* The HTTP/2 functionality in the RHACS Operator webhook has been disabled  
to mitigate CVE-2023-44487.  
* Fixed postgresql vulnerabilities in multiple images.

Solution:

CVEs:

CVE-2023-5868

References:

https://docs.openshift.com/acs/3.74/release_notes/374-release-notes.html  
https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170  
https://issues.redhat.com/browse/ROX-20391  
https://issues.redhat.com/browse/ROX-20542  
https://issues.redhat.com/browse/ROX-21190  
https://issues.redhat.com/browse/ROX-21784  
https://issues.redhat.com/browse/ROX-21785  
https://issues.redhat.com/browse/ROX-21786  
https://issues.redhat.com/browse/ROX-21787

Red Hat Security Advisory 2024-0304-03

Red Hat Security Advisory 2024-0300-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0300.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python-urllib3 security updateAdvisory ID:        RHSA-2024:0300-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0300Issue date:         2024-01-18Revision:           03CVE Names:          CVE-2023-43804====================================================================Summary: An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.Security Fix(es):* python-urllib3: Cookie request header isn't stripped during cross-origin redirects (CVE-2023-43804)* urllib3: Request body not stripped after redirect from 303 status changes request method to GET (CVE-2023-45803)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-43804References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2242493https://bugzilla.redhat.com/show_bug.cgi?id=2246840

Red Hat Security Advisory 2024-0300-03

Red Hat Security Advisory 2024-0299-03 - An update for python-requests is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0299.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python-requests security updateAdvisory ID:        RHSA-2024:0299-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0299Issue date:         2024-01-18Revision:           03CVE Names:          CVE-2023-32681====================================================================Summary: An update for python-requests is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-requests package contains a library designed to make HTTP requests easy for developers.Security Fix(es):* python-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-32681References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2209469

Red Hat Security Advisory 2024-0299-03

Red Hat Security Advisory 2024-0298-03 - Red Hat Advanced Cluster Management for Kubernetes 2.9.2 General Availability release images, which provide security updates and fix bugs. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0298.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Red Hat Advanced Cluster Management 2.9.2 security and bug fix container updates  
Advisory ID:        RHSA-2024:0298-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0298  
Issue date:         2024-01-18  
Revision:           03  
CVE Names:          CVE-2023-49568  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.9.2 General  
Availability release images, which provide security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.9.2 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

Jira issues addressed:

ACM-8456: 'Search' feature on logs page is not working  
ACM-8857: credentials restore file is executed after resources restore  
ACM-8966: oc get policy still returns NonCompliant 10 minutes after deleting the certificate and secret  
ACM-9094: Configuration Policy controller unexpectedly gets taken out of uninstall mode

Security fix(es):  
CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS on go-git clients  
CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html-single/install/index#installing

CVEs:

CVE-2023-49568

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://issues.redhat.com/browse/ACM-8456  
https://issues.redhat.com/browse/ACM-8857  
https://issues.redhat.com/browse/ACM-8966  
https://issues.redhat.com/browse/ACM-9094

Red Hat Security Advisory 2024-0298-03

Red Hat Security Advisory 2024-0266-03 - An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0266.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: java-11-openjdk security update  
Advisory ID:        RHSA-2024:0266-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0266  
Issue date:         2024-01-18  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: arbitrary Java code execution in Nashorn (8314284) (CVE-2024-20926)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257850  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0266-03

Many organizations require Encryption In Transit (EIT), specifying that all network traffic should be encrypted between systems. Within a Red Hat OpenShift cluster, Red Hat OpenShift Service Mesh can implement Mutual Transport Layer Security (mTLS) between pods. This process encrypts all pod-to-pod traffic, satisfying the EIT requirement.This article covers a simple application that connects to an AMQ broker and leverages Service Mesh to encrypt all communications to and from the AMQ broker.The applicationThe application is a basic producer/consumer program based on the Camel On Quarkus framew

Many organizations require Encryption In Transit (EIT), specifying that all network traffic should be encrypted between systems. Within a Red Hat OpenShift cluster, Red Hat OpenShift Service Mesh can implement Mutual Transport Layer Security (mTLS) between pods. This process encrypts all pod-to-pod traffic, satisfying the EIT requirement.

This article covers a simple application that connects to an AMQ broker and leverages Service Mesh to encrypt all communications to and from the AMQ broker.

**The application**

The application is a basic producer/consumer program based on the Camel On Quarkus framework. A camel route with a timer produces a message every second. Those messages are sent to a queue on the AMQ broker, and a second application consumes them to print them in the logs.

Here is a diagram showing this simple application running on OpenShift:

You can find the application source code here.

**Configure Service Mesh**

I'll review the different configuration pieces that make this application work with Service Mesh.

First, you need to install Service Mesh and the AMQ operators. Follow the instructions from the official Red Hat documentation to install Service Mesh. Next, follow the AMQ Operator installation instructions from the official Red Hat documentation.

It is essential to make sure that the version of the AMQ operator is at least 7.11.1, as some of the Service Mesh/AMQ integration described in this blog only works with that version or newer.

The second step is configuring Service Mesh to enable strict mTLS across the service mesh. You can achieve this by creating the following resource in the istio-system namespace:

    apiVersion: maistra.io/v2
    kind: ServiceMeshControlPlane
    spec:
     version: v2.3.1
     security:
       dataPlane:
         mtls: true

**Configure the AMQ broker**

Next, configure the AMQ broker to take advantage of Service Mesh. First, tell Service Mesh to exclude port 7800 from the mesh. This setting allows the two broker nodes to discover each other and form a cluster. Accomplish this by using the following annotation:

    traffic.sidecar.istio.io/excludeInboundPorts: '7800'

You also need to help the istio sidecar scrape the Prometheus metrics exposed by AMQ. By default, the AMQ-embedded web server doesn't listen on the localhost interface, preventing the sidecar from reaching it. You can tell the AMQ-embedded web server to listen on the localhost interface. Expose Prometheus metrics on that interface by adding the following arguments to the JVM. Note that this only works with AMQ 7.11.1 onward:

    env:
     - name: JAVA_ARGS_APPEND
     value: >-
     -Dwebconfig.bindings.my-binding.uri=http://localhost:8162
     -Dwebconfig.bindings.my-binding.apps.my-app.url=metrics
     -Dwebconfig.bindings.my-binding.apps.my-app.war=metrics.war

Finally, tell Prometheus how to scrape those metrics by using the following annotations:

    annotations:
     prometheus.io/path: /metrics/
     prometheus.io/port: '8162'
     prometheus.io/scheme: http
     prometheus.io/scrape: 'true'

And you're done. The application is now fully integrated with Service Mesh.

**Review the application in Service Mesh**

You can verify the configuration by opening Kiali and watching the network traffic from the producer to the AMQ consumer:

You could also open Grafana and review the AMQ metrics. The graphs below display the address size and the rate of messages added to the broker per second:

**Wrap up**

Red Hat OpenShift Service Mesh helps organizations meet security requirements that call for Encryption in Transit to protect information on the network. Specifically, it encrypts pod-to-pod communications using mTLS.

This article provides information and code samples to set up your own solution. Download the linked files from GitHub and give it a try today to see just how easy it is to add this layer of security to your environment.

Leveraging Red Hat Service Mesh to encrypt AMQ communication on OpenShift

Red Hat Security Advisory 2024-0279-03 - An update for gstreamer-plugins-bad-free is now available for Red Hat Enterprise Linux 7. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0279.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: gstreamer-plugins-bad-free security updateAdvisory ID:        RHSA-2024:0279-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0279Issue date:         2024-01-17Revision:           03CVE Names:          CVE-2023-44446====================================================================Summary: An update for gstreamer-plugins-bad-free is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-bad-free package contains a collection of plug-ins for GStreamer.Security Fix(es):* gstreamer: MXF demuxer use-after-free vulnerability (CVE-2023-44446)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44446References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2250249

Tag

#red_hat