RHBA-2023:3973 - Bug Fix Advisory

Topic

This erratum covers updates to the current Technology Preview release of the JBoss Web Server 5.7 for OpenShift container image with OpenJDK 17 support to fix python CVE-2023-24329.

Description

The current Technology Preview release of the JBoss Web Server 5.7 for OpenShift image with OpenJDK 17 support has been updated to fix python CVE-2023-24329.

Solution

You can download the RHEL-8-based Middleware Containers image that this update provides from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available in the Red Hat Ecosystem Catalog (see the References section).

Dockerfiles and scripts should be amended to refer to this new image specifically or to the latest image generally.

Affected Products

• Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x

Fixes

• BZ - 2173917 - CVE-2023-24329 python: urllib.parse url blocklisting bypass
• CLOUD-4186 - [JWS57 - JDK17 TP] - Important - python: urllib.parse url blocklisting bypass (CVE-2023-24329)

CVEs

• CVE-2023-24329

References

• https://access.redhat.com/errata/RHSA-2023:3591
• https://access.redhat.com/solutions/21101
• https://catalog.redhat.com/software/containers/jboss-webserver-5/jws57-openjdk17-openshift-rhel8/6241a7c7456d2e626dd773bd