- Issued:
- 2022-06-21
- Updated:
- 2022-06-21
RHBA-2022:5148 - Bug Fix Advisory
Synopsis
Update the JWS Operator for OpenShift for gzip CVE
Type/Severity
Bug Fix Advisory
Topic
The JBoss Web Server (JWS) Operator for OpenShift has been updated to provide a fix for a gzip CVE.
Description
This erratum covers updates to the JWS Operator for OpenShift to fix gzip CVE-2022-1271. The fix is in the xz-libs package.
Solution
This update provides a Middleware Containers container image that you can use on Red Hat Enterprise Linux (RHEL) 8. You can download the image from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).
Dockerfiles and scripts should be amended to refer to this new image specifically or to the latest image generally.
Affected Products
- Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8 s390x
Fixes
- BZ - 2073310 - CVE-2022-1271 gzip: arbitrary-file-write vulnerability
- JWS-2541 - Update JWS Openshift operator due to gzip CVE-2022-1271
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.