RHBA-2023:5798 - Bug Fix Advisory

Topic

The JBoss Web Server (JWS) Operator for OpenShift has been updated to provide a fix for multiple glibc CVEs.

Description

This erratum covers updates to the JWS Operator for OpenShift to fix the following glibc CVEs:

• CVE-2023-4911
• CVE-2023-4527
• CVE-2023-4806
• CVE-2023-4813

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x

Fixes

• BZ - 2234712 - CVE-2023-4527 glibc: Stack read overflow in getaddrinfo in no-aaaa mode
• BZ - 2237782 - CVE-2023-4806 glibc: potential use-after-free in getaddrinfo()
• BZ - 2237798 - CVE-2023-4813 glibc: potential use-after-free in gaih_inet()
• BZ - 2238352 - CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation
• JWS-3101 - Update JWS Openshift operator due to glibc CVEs

CVEs

• CVE-2023-4527
• CVE-2023-4806
• CVE-2023-4813
• CVE-2023-4911
• CVE-2023-29491
• CVE-2023-30630

References

• https://access.redhat.com/errata/RHSA-2023:5455