- Issued:
- 2022-09-05
- Updated:
- 2022-09-05
RHBA-2022:6335 - Bug Fix Advisory
Synopsis
Update JBoss Web Server 3.1 for OpenShift images to fix rsync and systemd CVEs
Type/Severity
Bug Fix Advisory
Topic
This erratum covers updates to the current JBoss Web Server 3.1 for OpenShift images to provide a fix for rsync and systemd CVEs.
Description
Red Hat xPaaS provides images for many of the Red Hat Middleware products that are available for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.
The current JBoss Web Server 3.1 for OpenShift images have been updated to fix rsync CVE-2022-29154 and systemd CVE-2022-2526.
Solution
To update to the latest JBoss Web Server for OpenShift image, perform the following steps to pull in the content:
1. On your master host(s), ensure that you are logged into the command line interface as a cluster administrator or user who has project administrator access to the global "openshift" project:
$ oc login -u system:admin
2. Depending on the Tomcat version, run either of the following commands to update the core JBoss Web Server 3.1 OpenShift image stream in the "openshift" project:
- For Tomcat 8:
To update the core JBoss Web Server 3.1 tomcat 8 OpenShift image, run the following command:
$ oc -n openshift import-image jboss-webserver31-tomcat8-openshift:1.4
- For Tomcat 7:
To update the core JBoss Web Server 3.1 tomcat 7 OpenShift image, run the following command:
$ oc -n openshift import-image jboss-webserver31-tomcat7-openshift:1.4
Affected Products
- Red Hat OpenShift Container Platform 4.9 for RHEL 7 x86_64
- Red Hat OpenShift Container Platform 4.8 for RHEL 7 x86_64
- Red Hat OpenShift Container Platform 3.11 x86_64
Fixes
- BZ - 2110928 - CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers
- CLOUD-4126 - [JWS31] Important - rsync: remote arbitrary files write inside the directories of connecting peers (CVE-2022-29154)
- CLOUD-4127 - [JWS31] Important - systemd-resolved: use-after-free when dealing with DnsStream in resolved-dns-stream.c (CVE-2022-2526)
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.