This advisory covers a security update for Red Hat OpenShift Service Mesh Containers 2.5.4, which is Red Hat's distribution of the Istio service mesh tailored for OpenShift Container Platform. The update addresses four vulnerabilities: a Server-Side Request Forgery (CVE-2024-39338) in the axios library and three vulnerabilities related to the elliptic cryptographic library (CVE-2024-42459, CVE-2024-42460, CVE-2024-42461), including an ECDSA signature malleability issue due to missing checks. The update applies to multiple architectures and requires prior application of all relevant previous errata. Red Hat rates the security impact as low and no CVSS scores are provided in the advisory. No known active exploitation has been reported.

The vulnerabilities addressed include a Server-Side Request Forgery and cryptographic issues related to elliptic curve operations. While these could potentially affect the security posture of the service mesh, Red Hat has assessed the overall impact as low. There are no reports of known exploits in the wild. The issues could theoretically allow an attacker to manipulate certain request flows or cryptographic signatures, but the advisory does not provide detailed impact scenarios.

Red Hat has released an official security update for OpenShift Service Mesh Containers version 2.5.4 that addresses these vulnerabilities. Users should apply this update after confirming that all previously released errata relevant to their system have been installed. Detailed update instructions are available from Red Hat's official documentation. Since this is not a cloud service, remediation is the responsibility of the system administrator. There are no indications that no action is required or that the issues are already mitigated without update.