Red Hat Product Errata RHBA-2022:6076 - Bug Fix Advisory
Issued:
2022-08-16
Updated:
2022-08-16

RHBA-2022:6076 - Bug Fix Advisory

Synopsis

Update JBoss Web Server 3.1 for OpenShift images to fix java-1.8.0-openjdk CVEs

Type/Severity

Bug Fix Advisory

Topic

This erratum covers updates to the current JBoss Web Server 3.1 for OpenShift images to provide a fix for multiple java-1.8.0-openjdk CVEs.

Description

Red Hat xPaaS provides images for many of the Red Hat Middleware products that are available for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

The current JBoss Web Server 3.1 for OpenShift images have been updated to fix the following CVEs for java-1.8.0-openjdk:

  • CVE-2022-34169
  • CVE-2022-21540
  • CVE-2022-21541

Solution

To update to the latest JBoss Web Server for OpenShift image, perform the following steps to pull in the content:

1. On your master host(s), ensure that you are logged into the command line interface as a cluster administrator or user who has project administrator access to the global "openshift" project:

$ oc login -u system:admin

2. Depending on the Tomcat version, run either of the following commands to update the core JBoss Web Server 3.1 OpenShift image stream in the "openshift" project:

  • For Tomcat 8:

To update the core JBoss Web Server 3.1 tomcat 8 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver31-tomcat8-openshift:1.4

  • For Tomcat 7:

To update the core JBoss Web Server 3.1 tomcat 7 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver31-tomcat7-openshift:1.4

Affected Products

  • Red Hat OpenShift Container Platform 4.9 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform 4.8 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform 3.11 x86_64

Fixes

  • BZ - 2108540 - CVE-2022-21540 OpenJDK: class compilation issue (Hotspot, 8281859)
  • BZ - 2108543 - CVE-2022-21541 OpenJDK: improper restriction of MethodHandle.invokeBasic() (Hotspot, 8281866)
  • BZ - 2108554 - CVE-2022-34169 OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)
  • CLOUD-4119 - [JWS31] Important - java-1.8.0-openjdk multiple CVEs

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.