Red Hat OpenShift Service Mesh 2.4.11 includes security fixes for five vulnerabilities: CVE-2024-32475 addresses envoy abnormal termination when using auto_sni with an authority header exceeding 255 characters; CVE-2024-32976 fixes an infinite loop in envoy's Brotli decompressor; CVE-2024-43788 mitigates a DOM Clobbering vulnerability in webpack's AutoPublicPathRuntimeModule; CVE-2024-43799 resolves a code execution vulnerability in the send library; and CVE-2024-43800 corrects improper sanitization in serve-static. These vulnerabilities affect various architectures including x86_64, ppc64le, s390x, and aarch64. The advisory emphasizes applying this update only after all previous relevant errata have been applied. No CVSS scores are provided within the advisory, but the overall severity is classified as important/high.

The vulnerabilities collectively could lead to abnormal termination of envoy processes, potential denial of service via infinite loops, DOM-based security issues, code execution risks, and improper input sanitization. These issues may affect the stability and security of the OpenShift Service Mesh environment. The advisory does not report known exploits in the wild at this time. The impact is considered high due to the nature of the vulnerabilities, particularly the code execution and denial of service risks.

Red Hat has released an official security advisory (RHSA-2024:7724) providing fixes for these vulnerabilities in OpenShift Service Mesh 2.4.11. Users should apply this update after confirming that all previously released errata relevant to their system have been installed. Detailed instructions for applying the update are available in Red Hat's documentation. No additional mitigation steps are indicated beyond applying the official update. Patch status is confirmed as available via this advisory.