RHBA-2025:8470 - Bug Fix Advisory

Topic

This erratum covers updates to the current Red Hat JBoss Web Server 6.1 for OpenShift images to fix multiple libsoup CVEs.

Description

Red Hat xPaaS provides images for many of the Red Hat Middleware products that are available for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

The current JBoss Web Server 6.1 for OpenShift images have been updated to fix the following libsoup CVEs:

• libsoup: Integer overflow in append_param_quoted (CVE-2025-32050)
• libsoup: Heap buffer overflow in sniff_unknown() (CVE-2025-32052)
• libsoup: Heap buffer overflows in sniff_feed_or_html() and skip_insignificant_space() (CVE-2025-32053)
• libsoup: Out of bounds reads in soup_headers_parse_request() (CVE-2025-32906)
• libsoup: Double free on soup_message_headers_get_content_disposition() through "soup-message-headers.c" via "params" GHashTable value (CVE-2025-32911)
• libsoup: NULL pointer dereference in soup_message_headers_get_content_disposition when "filename" parameter is present, but has no value in Content-Disposition header (CVE-2025-32913)
• libsoup: Information disclosure may leads libsoup client sends Authorization header to a different host when being redirected by a server (CVE-2025-46421)
• libsoup: Memory leak on soup_header_parse_quality_list() via soup-headers.c (CVE-2025-46420)
• libsoup: Heap buffer over-read in `skip_insignificant_space` when sniffing content (CVE-2025-2784)
• libsoup: Denial of Service attack to websocket server (CVE-2025-32049)
• libsoup: OOB Read on libsoup through function "soup_multipart_new_from_message" in soup-multipart.c leads to crash or exit of process (CVE-2025-32914)
• libsoup: Integer Underflow in soup_multipart_new_from_message() Leading to Denial of Service in libsoup (CVE-2025-4948)

Solution

To update to the latest JBoss Web Server 6.1.0 for OpenShift image on UBI8, perform the following steps to pull in the content:

1. On your master host(s), ensure that you are logged in to the command line interface as a cluster administrator or user who has project administrator access to the global "openshift" project:

$ oc login -u system:admin

2. Depending on the OpenJDK version, run one of the following commands to update the core JBoss Web Server 6.1 tomcat 10 OpenShift image stream in the "openshift" project:

• For OpenJDK 17:

To update the core JBoss Web Server 6.1 tomcat 10 with OpenJDK 17 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver61-openjdk17-tomcat10-openshift-ubi8:6.1.0

• For OpenJDK 21:

To update the core JBoss Web Server 6.1 tomcat 10 with OpenJDK 21 OpenShift image, run the following command:

$ oc -n openshift import-image jboss-webserver60-openjdk21-tomcat10-openshift-ubi8:6.1.0

Affected Products

• Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64

Fixes

CVEs

• CVE-2017-17095
• CVE-2020-13790
• CVE-2025-2784
• CVE-2025-4948
• CVE-2025-32049
• CVE-2025-32914

References

• https://access.redhat.com/errata/RHSA-2025:4560
• https://access.redhat.com/errata/RHSA-2025:8132