- Issued:
- 2022-05-02
- Updated:
- 2022-05-02
RHBA-2022:1668 - Bug Fix Advisory
Synopsis
Update JBoss Web Server 3.1 for OpenShift images to fix java-1.8.0-openjdk CVEs
Type/Severity
Bug Fix Advisory
Topic
This erratum covers updates to the current JBoss Web Server 3.1 for OpenShift images to provide a fix for multiple java-1.8.0-openjdk CVEs.
Description
Red Hat xPaaS provides images for many of the Red Hat Middleware products that are available for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.
The current JBoss Web Server 3.1 for OpenShift images have been updated to address the following java-1.8.0-openjdk CVEs:
CVE-2022-21476, CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21496
Solution
To update to the latest JBoss Web Server for OpenShift image, perform the following steps to pull in the content:
1. On your master host(s), ensure that you are logged into the command line interface as a cluster administrator or user who has project administrator access to the global "openshift" project:
$ oc login -u system:admin
2. Depending on the Tomcat version, run either of the following commands to update the core JBoss Web Server 3.1 OpenShift image stream in the "openshift" project:
- For Tomcat 8:
To update the core JBoss Web Server 3.1 tomcat 8 OpenShift image, run the following command:
$ oc -n openshift import-image jboss-webserver31-tomcat8-openshift:1.4
- For Tomcat 7:
To update the core JBoss Web Server 3.1 tomcat 7 OpenShift image, run the following command:
$ oc -n openshift import-image jboss-webserver31-tomcat7-openshift:1.4
Affected Products
- Red Hat OpenShift Container Platform 4.9 for RHEL 7 x86_64
- Red Hat OpenShift Container Platform 4.8 for RHEL 7 x86_64
- Red Hat OpenShift Container Platform 3.11 x86_64
Fixes
- BZ - 2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)
- BZ - 2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
- BZ - 2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)
- BZ - 2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)
- BZ - 2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)
- CLOUD-4101 - [JWS31] Important - java-1.8.0-openjdk multiple CVEs
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.