Details:
Red Hat OpenShift Service Mesh 3.2.3, which is based on the open source Istio project, addresses a variety of problems in a microservice architecture by creating a centralized point of control in an application.
Fixes/Improvements:
Updated to Istio version 1.27.8
Multiple InferencePools on same Gateway - ext_proc lost for all but first (OSSM-12585)
Security Fix(es):
istio-rhel9-operator: Unexpected session resumption in crypto/tls (CVE-2025-68121)
istio-cni-rhel9: Unexpected session resumption in crypto/tls (CVE-2025-68121)
istio-pilot-rhel9: Unexpected session resumption in crypto/tls (CVE-2025-68121)
istio-proxyv2-rhel9: Unexpected session resumption in crypto/tls (CVE-2025-68121)
istio-rhel9-operator: Potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732)
istio-cni-rhel9: Potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732)
istio-pilot-rhel9: Potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732)
istio-proxyv2-rhel9: Potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732)
istio-rhel9-operator: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)
istio-cni-rhel9: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)
istio-pilot-rhel9: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)
istio-proxyv2-rhel9: cmd/go: Arbitrary file write via malicious pkg-config directive (CVE-2025-61731)
istio-rhel9-operator: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
istio-cni-rhel9: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
istio-pilot-rhel9: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
istio-proxyv2-rhel9: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
istio-rhel9-operator: Memory exhaustion in query...
Exploitability
AV:LAC:LPR:NUI:RScope
S:CImpact
C:HI:HA:H8.6/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H