This advisory from Red Hat Product Security details security fixes in Red Hat OpenShift Service Mesh Containers version 2.5.5, which is Red Hat's distribution of the Istio service mesh for OpenShift Container Platform. It addresses nine vulnerabilities including CVE-2024-23326 where Envoy incorrectly accepts HTTP 200 responses to enter upgrade mode, CVE-2024-30255 involving HTTP/2 CPU exhaustion via CONTINUATION frame flood, CVE-2024-32976 causing infinite loops in Brotli decompression, and CVE-2024-43799 a code execution vulnerability in the Send library. Other fixes include improper sanitization in serve-static (CVE-2024-43800), DOM clobbering in webpack (CVE-2024-43788), denial of service in body-parser (CVE-2024-45590), abnormal termination in Envoy with long authority headers (CVE-2024-32475), and potential manipulation of x-envoy headers (CVE-2024-45806). The advisory confirms these vulnerabilities have been fixed in the updated containers and provides guidance to apply the update after prior errata. No known exploits in the wild are reported.

The vulnerabilities fixed in this update could allow attackers to execute code, cause denial of service, manipulate HTTP headers, or cause abnormal termination of Envoy components within the OpenShift Service Mesh environment. These issues could impact the stability, security, and reliability of service mesh operations in affected deployments. The advisory classifies the overall impact as high severity. No known active exploitation has been reported at the time of publication.

Red Hat has released updated OpenShift Service Mesh Containers version 2.5.5 that address these vulnerabilities. Users should apply this update promptly after ensuring all previously released errata relevant to their system have been applied. Detailed update instructions are available from Red Hat's official documentation. No additional mitigations are specified beyond applying the official update.