Impact statement for the OCPBUGS-52485 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

• 4.18.z to 4.19.z'

Which types of clusters?

• A cluster is impacted by the bug if it is installed with version 4.1 or 4.2.

There are a few ways to tell which version a cluster is installed with:

• Use cluster_version{_id="",type="initial"} to query the cluster metrics. Note that if the answer shows a version
  • 4.1 or 4.2: then it is affected.
  • 4.3 - 4.9: then it might be affected. This is due to a limitation of the metric. We need to use the next method for this case.
  • 4.10 - 4.18: then it is not affected.

• The another method is to SSH to a node (e.g., via oc debug node) of the cluster and check "sysroot.bootloader". If it is not set, then the cluster is impacted. Otherwise, not.

$ ostree config --repo=/sysroot/ostree/repo get sysroot.bootloader
error: Key file does not have key ?bootloader? in group ?sysroot?

What is the impact? Is it serious enough to warrant removing update recommendations?

• The upgrade to 4.19 will fail if the cluster is born with 4.1 or 4.2. Although there is not any observed impact on the existing workload on the cluster, it is strongly suggested to wait until a version including the fix is available. It is quite involving to get rid of the failure status once getting in. 

How involved is remediation?

• As right now (June 18, 2025), no supported remediation is available.

Is this a regression?

• No. By default composefs enabled firstly from 4.19, but we should support the transition from earlier versions.