Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-25413

CVE-2023-39975: krb5-libs still vulnerable in multicluster-engine/hive-rhel9

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • ACM 2.9.0
    • Hive
    • False
    • Hide

      None

      Show
      None
    • False
    • None

      Description of problem:
      Reported CVE-2023-39975 affecting the multicluster-engine/hive-rhel9 image.

      Image: multicluster-engine/hive-rhel9
      registry.redhat.io/multicluster-engine/hive-rhel9@sha256:62d1fba861ea3e18d4c8046fdaabf33a21c1c3eb6d8d40709a07456838e73cd4

      Registry Link:
      https://catalog.redhat.com/en/software/containers/multicluster-engine/hive-rhel9/66b1030cee4005aeedfe5019?image=688bb38d5a76a0faeff72ddd&architecture=amd64 

      Current krb5-libs version in image: 1.20.1-9.el9_2.2.x86_64 (still vulnerable)

      Fixed version available in: RHSA-2023:6699, https://access.redhat.com/errata/RHSA-2023:6699 

      Although the fixed packages for krb5 exist in RHEL9, the krb5-libs package included in the image is outdated and still affected.

      Version-Release number of selected component (if applicable):
      The image belongs to the Multicluster Engine operator, which is in version 2.9.0, the latest available for OCP v4.17.40

      How reproducible:

      • Download the image via podman pull and check the krb5-libs packag version.

      Steps to Reproduce:

      $ podman pull registry.redhat.io/multicluster-engine/hive-rhel9@sha256:62d1fba861ea3e18d4c8046fdaabf33a21c1c3eb6d8d40709a07456838e73cd4
Trying to pull registry.redhat.io/multicluster-engine/hive-rhel9@sha256:62d1fba861ea3e18d4c8046fdaabf33a21c1c3eb6d8d40709a07456838e73cd4...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 4b7362287815 done   | 
Copying blob 93efa3253bde done   | 
Copying config eb1daf39f8 done   | 
Writing manifest to image destination
Storing signatures
eb1daf39f8e9d0da9f239606b5457e2edf4fc616c7c97adf6c258eb2738099bf
$ podman run --rm --entrypoint bash -it eb1daf39f8e9d0da9f239606b5457e2edf4fc616c7c97adf6c258eb2738099bf
bash-5.1# rpm -qa |grep krb
krb5-libs-1.20.1-9.el9_2.2.x86_64


#
# The same for latest image: 2.9.0-b78b776  2.9.0-1  2.9.0-1752521349
#
$ podman pull registry.redhat.io/multicluster-engine/hive-rhel9@sha256:bf343592bf2f4399b5ac61709f56528435990e903812e264cbef845ff4433231
Trying to pull registry.redhat.io/multicluster-engine/hive-rhel9@sha256:bf343592bf2f4399b5ac61709f56528435990e903812e264cbef845ff4433231...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 4b7362287815 skipped: already exists  
Copying blob 93efa3253bde skipped: already exists  
Copying config eb1daf39f8 done   | 
Writing manifest to image destination
Storing signatures
eb1daf39f8e9d0da9f239606b5457e2edf4fc616c7c97adf6c258eb2738099bf
$ podman run --rm --entrypoint bash -it eb1daf39f8e9d0da9f239606b5457e2edf4fc616c7c97adf6c258eb2738099bf
bash-5.1# rpm -qa | grep krb5
krb5-libs-1.20.1-9.el9_2.2.x86_64

      Expected results:
      The package should be in a version that is available via RHSA-2023:6699: krb5-libs-1.21.1-1.el9.x86_64.rpm

              rh-ee-mold Mark Old
              rhn-support-rludva Radomir Ludva
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: