- Issued:
- 2023-04-27
- Updated:
- 2023-04-27
RHBA-2023:2050 - Bug Fix Advisory
Synopsis
Update JBoss Web Server 3.1 for OpenShift images to fix multiple OpenJDK CVEs
Type/Severity
Bug Fix Advisory
Topic
This erratum covers updates to the current Red Hat JBoss Web Server 3.1 for OpenShift images to fix multiple OpenJDK CVEs.
Description
Red Hat xPaaS provides images for many of the Red Hat Middleware products that are available for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.
The current JBoss Web Server 3.1 for OpenShift images have been updated to fix the following java-1.8.0-openjdk CVEs:
- CVE-2023-21930
- CVE-2023-21939
- CVE-2023-21954
- CVE-2023-21967
- CVE-2023-21937
- CVE-2023-21938
- CVE-2023-21968
Solution
To update to the latest JBoss Web Server for OpenShift image, perform the following steps to pull in the content:
1. On your master host(s), ensure that you are logged in to the command line interface as a cluster administrator or user who has project administrator access to the global "openshift" project:
$ oc login -u system:admin
2. Depending on the Tomcat version, run either of the following commands to update the core JBoss Web Server 3.1 OpenShift image stream in the "openshift" project:
- For Tomcat 8:
To update the core JBoss Web Server 3.1 tomcat 8 OpenShift image, run the following command:
$ oc -n openshift import-image jboss-webserver31-tomcat8-openshift:1.4
- For Tomcat 7:
To update the core JBoss Web Server 3.1 tomcat 7 OpenShift image, run the following command:
$ oc -n openshift import-image jboss-webserver31-tomcat7-openshift:1.4
Affected Products
- Red Hat OpenShift Container Platform 4.9 for RHEL 7 x86_64
- Red Hat OpenShift Container Platform 4.8 for RHEL 7 x86_64
- Red Hat OpenShift Container Platform 3.11 x86_64
Fixes
- BZ - 2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474)
- BZ - 2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191)
- BZ - 2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310)
- BZ - 2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832)
- BZ - 2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304)
- BZ - 2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622)
- BZ - 2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667)
- CLOUD-4170 - [JWS31] Important - java-1.8.0-openjdk: Multiple CVEs
CVEs
x86_64
jboss-webserver-3/webserver31-tomcat7-openshift@sha256:c8ecefe1f57ae5a4a1a4accb30b95ad1575eb7a606d875ad455c64167ad44b6a |
jboss-webserver-3/webserver31-tomcat8-openshift@sha256:533d45e405b2597b6b877e2302c7a697beec0188a1d53a62de8eb8d044322670 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.