RHBA-2023:1521 - Bug Fix Advisory

Topic

This erratum covers updates to the current Red Hat JBoss Web Server 5.7 for OpenShift images to fix nss CVE-2023-0767 and multiple openssl CVEs.

Description

Red Hat xPaaS provides images for many of the Red Hat Middleware products that are available for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

The current JBoss Web Server 5.7 for OpenShift images have been updated to fix nss CVE-2023-0767 and the following openssl CVEs:

• CVE-2023-0286
• CVE-2022-4304
• CVE-2022-4450
• CVE-2023-0215

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8 s390x

Fixes

• BZ - 2170377 - CVE-2023-0767 nss: Arbitrary memory write via PKCS 12
• CLOUD-4164 - [JWS57] Important - nss: Arbitrary memory write via PKCS 12 (CVE-2023-0767)
• CLOUD-4167 - [JWS57] Important - openssl: Multiple CVEs

CVEs

• CVE-2020-10735
• CVE-2021-28861
• CVE-2022-4304
• CVE-2022-4415
• CVE-2022-4450
• CVE-2022-40897
• CVE-2022-45061
• CVE-2022-48303
• CVE-2023-0215
• CVE-2023-0286
• CVE-2023-0767
• CVE-2023-23916

References

• https://access.redhat.com/errata/RHSA-2023:1252
• https://access.redhat.com/errata/RHSA-2023:1405