RHBA-2021:4048 - Bug Fix Advisory

Topic

This erratum updates the current JBoss Web Server 5.5 UBI8 images to provide a fix for multiple OpenJDK 8 and OpenJDK 11 CVEs.

Description

Red Hat xPaaS provides images for many of the Red Hat Middleware products for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

The current JBoss Web Server 5.5 UBI8 OpenJDK 8 OpenShift image has been updated to provide a fix to address the following OpenJDK 8 CVE issues:
CVE-2021-35565, CVE-2021-35567, CVE-2021-35550, CVE-2021-35556, CVE-2021-35559, CVE-2021-35561, CVE-2021-35564, CVE-2021-35578, CVE-2021-35586, CVE-2021-35588, CVE-2021-35603

The current JBoss Web Server 5.5 UBI8 OpenJDK 11 OpenShift image has been updated to provide a fix to address the following OpenJDK 11 CVE issues:
CVE-2021-35565, CVE-2021-35567, CVE-2021-35550, CVE-2021-35556, CVE-2021-35559, CVE-2021-35561, CVE-2021-35564, CVE-2021-35578, CVE-2021-35586, CVE-2021-35603

These images can be used with OpenShift Container Platform 4.6 and 4.7.

Solution

To update to the latest JBoss Web Server 5.5 for OpenShift image on UBI8, run the following steps to pull in the content:

On your master host(s), ensure you are logged in to the command line interface as a cluster administrator or user that has project administrator access to the global "openshift" project:

$ oc login -u system:admin

Then run either of the following commands to update the core JBoss Web Server 5.5 tomcat 9 OpenShift image stream in the "openshift" project:

To update the core JBoss Web Server 5.5 tomcat 9 with OpenJDK 8 OpenShift image, please run:

$ oc -n openshift import-image jboss-webserver55-openjdk8-tomcat9-openshift-ubi8:1.0

To update the core JBoss Web Server 5.5 tomcat 9 with OpenJDK 11 OpenShift image, please run:

$ oc -n openshift import-image jboss-webserver55-openjdk11-tomcat9-openshift-ubi8:1.0

Affected Products

• Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64

Fixes

• BZ - 2014508 - CVE-2021-35565 OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967)
• BZ - 2014515 - CVE-2021-35556 OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
• BZ - 2014518 - CVE-2021-35559 OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
• BZ - 2014524 - CVE-2021-35561 OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097)
• BZ - 2015061 - CVE-2021-35564 OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137)
• BZ - 2015308 - CVE-2021-35586 OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)
• BZ - 2015311 - CVE-2021-35603 OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
• BZ - 2015648 - CVE-2021-35550 OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)
• BZ - 2015653 - CVE-2021-35578 OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729)
• BZ - 2015658 - CVE-2021-35567 OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689)
• BZ - 2015659 - CVE-2021-35588 OpenJDK: Incomplete validation of inner class references in ClassFileParser (Hotspot, 8268071)
• CLOUD-4049 - [JWS55] Important - OpenJDK 11 CVEs
• CLOUD-4050 - [JWS55] Important - OpenJDK 8 CVEs

CVEs

• CVE-2021-35550
• CVE-2021-35556
• CVE-2021-35559
• CVE-2021-35561
• CVE-2021-35564
• CVE-2021-35565
• CVE-2021-35567
• CVE-2021-35578
• CVE-2021-35586
• CVE-2021-35588
• CVE-2021-35603

References

• https://access.redhat.com/errata/RHSA-2021:3891
• https://access.redhat.com/errata/RHSA-2021:3893
• https://access.redhat.com/containers