Red Hat Product Errata RHBA-2024:6716 - Bug Fix Advisory
Issued:
2024-09-17
Updated:
2024-09-17

RHBA-2024:6716 - Bug Fix Advisory

Synopsis

Update JBoss Web Server 5.8 for OpenShift images to fix curl and python-setuptools CVEs

Type/Severity

Bug Fix Advisory

Topic

This erratum covers updates to the current Red Hat JBoss Web Server 5.8 for OpenShift images to fix curl and python-setuptools CVEs.

Description

Red Hat xPaaS provides images for many of the Red Hat Middleware products that are available for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

The current JBoss Web Server 5.8 for OpenShift images have been updated to fix the following curl and python-setuptools CVEs:

  • curl: CVE-2024-2398
  • python-setuptools: CVE-2024-6345

Solution

To update to the latest JBoss Web Server 5.8.1 for OpenShift image on UBI8, perform the following steps to pull in the content:

1. On your master host(s), ensure that you are logged in to the command line interface as a cluster administrator or user who has project administrator access to the global "openshift" project:

$ oc login -u system:admin

2. Depending on the OpenJDK version, run one of the following commands to update the core JBoss Web Server 5.8 tomcat 9 OpenShift image stream in the "openshift" project:

  • For OpenJDK 8:

To update the core JBoss Web Server 5.8 tomcat 9 with OpenJDK 8 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver58-openjdk8-tomcat9-openshift-ubi8:5.8.1

  • For OpenJDK 11:

To update the core JBoss Web Server 5.8 tomcat 9 with OpenJDK 11 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver58-openjdk11-tomcat9-openshift-ubi8:5.8.1

  • For OpenJDK 17:

To update the core JBoss Web Server 5.8 tomcat 9 with OpenJDK 17 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver58-openjdk17-tomcat9-openshift-ubi8:5.8.1

Affected Products

  • Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64

Fixes

  • BZ - 2270498 - CVE-2024-2398 curl: HTTP/2 push headers memory-leak

ppc64le

jboss-webserver-5/jws58-openjdk11-openshift-rhel8@sha256:86ffa9a545ac38f9292f4c681c8e355bc20c2203257d89d26b1c7af67b639408
jboss-webserver-5/jws58-openjdk17-openshift-rhel8@sha256:84324106382be1c5ace27c402688cdde422ccf948f312514d028be4e42f1008a

s390x

jboss-webserver-5/jws58-openjdk11-openshift-rhel8@sha256:73b8673ca7c9063da149c0b195c5a7fc9b92895199c2351cd0b9423de2da9bd7
jboss-webserver-5/jws58-openjdk17-openshift-rhel8@sha256:def76cd4579afda93077467eae69e7051974731f36e53c1161de96854a05040b

x86_64

jboss-webserver-5/jws58-openjdk11-openshift-rhel8@sha256:9b6ac10fb2c9e470e876c490736a4d5ed75c81364b1f005859a23c1bf60c13dc
jboss-webserver-5/jws58-openjdk17-openshift-rhel8@sha256:907a3db22ef93ebebf5d3b82b28a54c98a2a0b04aa41997ab617f37ce618a4c5
jboss-webserver-5/jws58-openjdk8-openshift-rhel8@sha256:97877a10dd15cf785bff8b5bc3e864d41c844263853d2b39e48e36a03652fe44

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.