Red Hat Product Errata RHBA-2020:0237 - Bug Fix Advisory
Issued:
2020-01-27
Updated:
2020-01-27

RHBA-2020:0237 - Bug Fix Advisory

Synopsis

Update JWS 5.2 Openshift JDK11 image to fix java-11-openjdk CVEs

Type/Severity

Bug Fix Advisory

Topic

This erratum updates the current JWS 5.2 OpenJDK11 image to provide a fix for java-11-openjdk CVEs (CVE-2020-2583, CVE-2020-2590, CVE-2020-2593, CVE-2020-2601, CVE-2020-2604, CVE-2020-2654, CVE-2020-2655)

Description

Red Hat xPaaS provides images for many of the Red Hat Middleware products for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

The current JWS 5.2 OpenShift OpenJDK11 image has been updated to address java-11-openjdk CVE-2020-2583, CVE-2020-2590, CVE-2020-2593, CVE-2020-2601, CVE-2020-2604, CVE-2020-2654, CVE-2020-2655. This image can be used with OpenShift Container Platform 3.10 and 3.11.

Solution

To update to the latest JWS for OpenShift image, run the following steps to pull in the content:

On your master host(s), ensure you are logged into the CLI as a cluster administrator or user that has project administrator access to the global "openshift" project.

$ oc login -u system:admin

Then, run the following command to update the core JWS 5.2 tomcat 9 OpenShift image stream in the "openshift" project:

For updating the core JWS 5.2 tomcat 9 OpenJDK11 OpenShift image please run

$ oc -n openshift import-image jboss-webserver52-openjdk11-tomcat9-openshift:1.0

Affected Products

  • Red Hat OpenShift Container Platform 3.11 x86_64
  • Red Hat OpenShift Container Platform 3.10 x86_64

Fixes

  • BZ - 1790444 - CVE-2020-2583 OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909)
  • BZ - 1790556 - CVE-2020-2590 OpenJDK: Improper checks of SASL message properties in GssKrb5Base (Security, 8226352)
  • BZ - 1790570 - CVE-2020-2601 OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS (Security, 8229951)
  • BZ - 1790884 - CVE-2020-2593 OpenJDK: Incorrect isBuiltinStreamHandler causing URL normalization issues (Networking, 8228548)
  • BZ - 1790944 - CVE-2020-2604 OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422)
  • BZ - 1790951 - CVE-2020-2655 OpenJDK: Incorrect handling of unexpected CertificateVerify TLS handshake messages (JSSE, 8231780)
  • BZ - 1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037)

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.