RHBA-2023:1536 - Bug Fix Advisory

Topic

The JBoss Web Server (JWS) Operator for OpenShift has been updated to provide a fix for multiple openssl CVEs.

Description

This erratum covers updates to the JWS Operator for OpenShift to fix the following openssl CVEs:

• CVE-2023-0286
• CVE-2022-4304
• CVE-2022-4450
• CVE-2023-0215

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8 s390x

Fixes

• BZ - 2164440 - CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName
• BZ - 2164487 - CVE-2022-4304 openssl: timing attack in RSA Decryption implementation
• BZ - 2164492 - CVE-2023-0215 openssl: use-after-free following BIO_new_NDEF
• BZ - 2164494 - CVE-2022-4450 openssl: double free after calling PEM_read_bio_ex
• JWS-2867 - Update JWS Openshift operator due to openssl CVEs

CVEs

• CVE-2020-10735
• CVE-2021-28861
• CVE-2022-4304
• CVE-2022-4415
• CVE-2022-4450
• CVE-2022-40897
• CVE-2022-45061
• CVE-2022-48303
• CVE-2023-0215
• CVE-2023-0286
• CVE-2023-23916

References

• https://access.redhat.com/errata/RHSA-2023:1405
• https://catalog.redhat.com/software/containers/registry/registry.access.redhat.com/repository/jboss-webserver-5/jws5-rhel8-operator-container