- Issued:
- 2023-11-02
- Updated:
- 2023-11-02
RHBA-2023:6287 - Bug Fix Advisory
Synopsis
Update the JWS Operator for OpenShift to fix nghttp2 and python CVEs
Type/Severity
Bug Fix Advisory
Topic
The JBoss Web Server (JWS) Operator for OpenShift has been updated to provide a fix for nghttp2 and python CVEs.
Description
This erratum covers updates to the JWS Operator for OpenShift to fix the following CVEs:
- nghttp2: CVE-2023-44487
- python: CVE-2023-40217
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
Fixes
- BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
- JWS-3126 - Update JWS Openshift operator due to nghttp2 CVE
- JWS-3127 - Update JWS Openshift operator due to python CVE
ppc64le
| jboss-webserver-5/jws5-operator-bundle@sha256:285a4470ea9f982af36648444e05b8e5f36cb54a00832fe4a81d4ff13d029e08 |
| jboss-webserver-5/jws5-rhel8-operator@sha256:5b612b6637a552e23912028fe665421f8577476a14501e3c49bec74736afb146 |
s390x
| jboss-webserver-5/jws5-operator-bundle@sha256:a588f3396d8ea9bdfc5953727fc5db73808124d66196cdc10128f4675af8c1af |
| jboss-webserver-5/jws5-rhel8-operator@sha256:0447eeff1ab9ff7fc87a957e62808c6e1328b9d5b7f38c910454f0c0ead8706f |
x86_64
| jboss-webserver-5/jws5-operator-bundle@sha256:7eb95f4b5750d9da985f7982696384ee0dfc05b12300da97cd1b944cb1bee0e3 |
| jboss-webserver-5/jws5-rhel8-operator@sha256:79c5010c8961daab0eadf07c0bce0f6228e90d4836c653ddcb36eb3a293749fa |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
