This advisory covers a security update for Red Hat OpenShift Service Mesh Containers version 2.4.10, which is Red Hat's distribution of the Istio service mesh tailored for OpenShift Container Platform. The update addresses five CVEs: CVE-2024-39338 (axios server-side request forgery), CVE-2024-42459 (elliptic library vulnerability), CVE-2024-42460 and CVE-2024-42461 (ECDSA signature malleability issues), and CVE-2024-28180 (jose-go improper handling of highly compressed data). These vulnerabilities impact cryptographic signature validation and request handling components. Red Hat rates the overall security impact as moderate. The advisory does not provide a CVSS score but references individual CVE pages for details. The update is available for multiple hardware architectures and requires prior application of earlier errata.

The vulnerabilities could allow attackers to exploit server-side request forgery, cryptographic signature malleability, and improper data handling, potentially undermining the integrity and security of the service mesh environment. However, Red Hat classifies the overall impact as moderate and no known active exploitation has been reported. The issues affect critical components used in service mesh cryptographic operations and request processing, which could lead to security weaknesses if unpatched.

Red Hat has released an official security update for OpenShift Service Mesh Containers version 2.4.10 that addresses these vulnerabilities. Users should apply this update after ensuring all previously released errata relevant to their system have been installed. Detailed update instructions are available from Red Hat's official documentation. There are no indications that additional mitigations beyond applying the update are required at this time.