Red Hat Product Errata RHBA-2023:2050 - Bug Fix Advisory
Issued:
2023-04-27
Updated:
2023-04-27

RHBA-2023:2050 - Bug Fix Advisory

Synopsis

Update JBoss Web Server 3.1 for OpenShift images to fix multiple OpenJDK CVEs

Type/Severity

Bug Fix Advisory

Topic

This erratum covers updates to the current Red Hat JBoss Web Server 3.1 for OpenShift images to fix multiple OpenJDK CVEs.

Description

Red Hat xPaaS provides images for many of the Red Hat Middleware products that are available for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

The current JBoss Web Server 3.1 for OpenShift images have been updated to fix the following java-1.8.0-openjdk CVEs:

  • CVE-2023-21930
  • CVE-2023-21939
  • CVE-2023-21954
  • CVE-2023-21967
  • CVE-2023-21937
  • CVE-2023-21938
  • CVE-2023-21968

Solution

To update to the latest JBoss Web Server for OpenShift image, perform the following steps to pull in the content:

1. On your master host(s), ensure that you are logged in to the command line interface as a cluster administrator or user who has project administrator access to the global "openshift" project:

$ oc login -u system:admin

2. Depending on the Tomcat version, run either of the following commands to update the core JBoss Web Server 3.1 OpenShift image stream in the "openshift" project:

  • For Tomcat 8:

To update the core JBoss Web Server 3.1 tomcat 8 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver31-tomcat8-openshift:1.4

  • For Tomcat 7:

To update the core JBoss Web Server 3.1 tomcat 7 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver31-tomcat7-openshift:1.4

Affected Products

  • Red Hat OpenShift Container Platform 4.9 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform 4.8 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform 3.11 x86_64

Fixes

  • BZ - 2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474)
  • BZ - 2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191)
  • BZ - 2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310)
  • BZ - 2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832)
  • BZ - 2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304)
  • BZ - 2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622)
  • BZ - 2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667)
  • CLOUD-4170 - [JWS31] Important - java-1.8.0-openjdk: Multiple CVEs

x86_64

jboss-webserver-3/webserver31-tomcat7-openshift@sha256:c8ecefe1f57ae5a4a1a4accb30b95ad1575eb7a606d875ad455c64167ad44b6a
jboss-webserver-3/webserver31-tomcat8-openshift@sha256:533d45e405b2597b6b877e2302c7a697beec0188a1d53a62de8eb8d044322670

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.