Red Hat Product Errata RHBA-2022:1048 - Bug Fix Advisory
Issued:
2022-03-24
Updated:
2022-03-24

RHBA-2022:1048 - Bug Fix Advisory

Synopsis

Update JWS 5.6 Openshift images on UBI8 for Expat CVEs

Type/Severity

Bug Fix Advisory

Topic

This erratum updates the current Red Hat JBoss Web Server 5.6 UBI8 images to provide a fix for multiple Expat CVEs.

Description

Red Hat xPaaS provides images for many of the Red Hat Middleware products that are available for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

The current Red Hat JBoss Web Server 5.6 OpenShift images have been updated to address Expat CVEs (CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315).

Solution

To update to the latest JBoss Web Server 5.6.1 for OpenShift image on UBI8, perform the following steps to pull in the content:

1. On your master host(s), ensure that you are logged in to the command line interface as a cluster administrator or user who has project administrator access to the global "openshift" project:

$ oc login -u system:admin

2. Run the following command to import the templates:

$ for resource in jws56-openjdk11-tomcat9-ubi8-basic-s2i.json \ jws56-openjdk11-tomcat9-ubi8-https-s2i.json \ jws56-openjdk11-tomcat9-ubi8-image-stream.json \ jws56-openjdk8-tomcat9-ubi8-basic-s2i.json \ jws56-openjdk8-tomcat9-ubi8-https-s2i.json \ jws56-openjdk8-tomcat9-ubi8-image-stream.json do oc replace -n openshift --force -f \ https://raw.githubusercontent.com/jboss-container-images/jboss-webserver-5-openshift-image/jws56el8-v5.6.1/templates/${resource} done

3. Depending on the OpenJDK version, run either of the following commands to update the core JBoss Web Server 5.6 tomcat 9 OpenShift image stream in the "openshift" project:

  • For OpenJDK 8:

To update the core JBoss Web Server 5.6 tomcat 9 with OpenJDK 8 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver56-openjdk8-tomcat9-openshift-ubi8:5.6.1

  • For OpenJDK 11:

To update the core JBoss Web Server 5.6 tomcat 9 with OpenJDK 11 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver56-openjdk11-tomcat9-openshift-ubi8:5.6.1

Affected Products

  • Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x

Fixes

  • BZ - 2044451 - CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
  • BZ - 2044455 - CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
  • BZ - 2044457 - CVE-2022-22822 expat: Integer overflow in addBinding in xmlparse.c
  • BZ - 2044464 - CVE-2022-22823 expat: Integer overflow in build_model in xmlparse.c
  • BZ - 2044467 - CVE-2022-22824 expat: Integer overflow in defineAttribute in xmlparse.c
  • BZ - 2044479 - CVE-2022-22825 expat: Integer overflow in lookup in xmlparse.c
  • BZ - 2044484 - CVE-2022-22826 expat: Integer overflow in nextScaffoldPart in xmlparse.c
  • BZ - 2044488 - CVE-2022-22827 expat: Integer overflow in storeAtts in xmlparse.c
  • BZ - 2044613 - CVE-2022-23852 expat: Integer overflow in function XML_GetBuffer
  • BZ - 2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames()
  • BZ - 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution
  • BZ - 2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
  • CLOUD-4090 - [JWS56] Important - Multiple expat CVEs

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.