- Issued:
- 2023-04-27
- Updated:
- 2023-04-27
RHBA-2023:2049 - Bug Fix Advisory
Synopsis
Update JBoss Web Server 5.7 for OpenShift images to fix multiple OpenJDK CVEs
Type/Severity
Bug Fix Advisory
Topic
This erratum covers updates to the current Red Hat JBoss Web Server 5.7 for OpenShift images to fix multiple java-11-openjdk and java-1.8.0-openjdk CVEs.
Description
Red Hat xPaaS provides images for many of the Red Hat Middleware products that are available for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.
The current JBoss Web Server 5.7 for OpenShift images have been updated to fix the following java-11-openjdk and java-1.8.0-openjdk CVEs:
- CVE-2023-21930
- CVE-2023-21939
- CVE-2023-21954
- CVE-2023-21967
- CVE-2023-21937
- CVE-2023-21938
- CVE-2023-21968
Solution
To update to the latest JBoss Web Server for OpenShift image, perform the following steps to pull in the content:
1. On your master host(s), ensure that you are logged in to the command line interface as a cluster administrator or user who has project administrator access to the global "openshift" project:
$ oc login -u system:admin
2. Depending on the OpenJDK version, run either of the following commands to update the core JBoss Web Server 5.7 tomcat 9 OpenShift image stream in the "openshift" project:
- For OpenJDK 8:
To update the core JBoss Web Server 5.7 tomcat 9 with OpenJDK 8 OpenShift image, run the following command:
$ oc -n openshift import-image jboss-webserver57-openjdk8-tomcat9-openshift-ubi8:5.7.2
- For OpenJDK 11:
To update the core JBoss Web Server 5.7 tomcat 9 with OpenJDK 11 OpenShift image, run the following command:
$ oc -n openshift import-image jboss-webserver57-openjdk11-tomcat9-openshift-ubi8:5.7.2
Affected Products
- Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8 s390x
Fixes
- BZ - 2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474)
- BZ - 2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191)
- BZ - 2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310)
- BZ - 2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832)
- BZ - 2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304)
- BZ - 2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622)
- BZ - 2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667)
- CLOUD-4171 - [JWS57] Important - java-1.8.0-openjdk multiple CVEs
- CLOUD-4172 - [JWS57] Important - java-11-openjdk multiple CVEs
CVEs
ppc64le
jboss-webserver-5/jws57-openjdk11-openshift-rhel8@sha256:0a73f47edca39e5b5a476404b5861dbe6043d60352d9b9121a58126bfa2f2841 |
s390x
jboss-webserver-5/jws57-openjdk11-openshift-rhel8@sha256:3dede200d7df576b9e3d53c7c73d0ecfd0a03bb46d44eb610c3954f5cd5ab4ed |
x86_64
jboss-webserver-5/jws57-openjdk11-openshift-rhel8@sha256:e241dd0049956f75f989687e80fafe7da2f2f25ef4ea762bdaabfe2161d20f64 |
jboss-webserver-5/jws57-openjdk8-openshift-rhel8@sha256:6d07cbaef7869b2e0d878740ad685b150f3d8ab960544c881916a01f25f9b6ef |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.