Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-6721

rhel9/redis-7 image in GitOps 1.16.0 flagged for CVE-2020-11023

XMLWordPrintable

    • Icon: Vulnerability Vulnerability
    • Resolution: Done
    • Icon: Major Major
    • 1.16.1
    • None
    • None
    • None
    • GitOps Crimson Sprint 14

      Description of Problem
      The GitOps 1.16.0 bundle is currently using a 5-month-old rhel9/redis-7 container image. A customer scan using Prisma Cloud flagged this image for CVE-2020-11023

      We might also want to update the rhel9/redis-7 image in all our currently supported OpenShift GitOps releases. 

       

      Additional Info

      • Image in use: registry.redhat.io/rhel9/redis-7@sha256:848f4298a9465dafb7ce9790e991bd8a11de2558e3a6685e1d7c4a6e0fc5f371 
      • CVE: CVE-2020-11023
      • Customer security tooling: Prisma Cloud

       

      Problem Reproduction
      Deploy GitOps 1.16.0 and inspect the container images in use. Verify the version and build date of the redis-7 image used in the bundle.

       

      $ podman pull --authfile ~/pull-secret.txt registry.redhat.io/openshift-gitops-1/gitops-operator-bundle:v1.16.0
$ echo 'FROM registry.redhat.io/openshift-gitops-1/gitops-operator-bundle:v1.16.0' > Dockerfile
$ podman build -o ./bundle -f Dockerfile .
$ cat ./bundle/manifests/*clusterserviceversion*
[...]
  relatedImages:
[...]
  - name: argocd_redis_image
    image: registry.redhat.io/rhel9/redis-7@sha256:848f4298a9465dafb7ce9790e991bd8a11de2558e3a6685e1d7c4a6e0fc5f371
 
$ oc image info registry.redhat.io/rhel9/redis-7@sha256:848f4298a9465dafb7ce9790e991bd8a11de2558e3a6685e1d7c4a6e0fc5f371
error: the image is a manifest list and contains multiple images - use --filter-by-os to select from:
 
  OS            DIGEST
  linux/amd64   sha256:1ff1c64049254cbefcc09337866663e2c2d0a895ec4ebde1cbaef908a63e7913
  linux/arm64   sha256:2c51cf469de4aaa8acf27106501bb93b36888135c27df5b4939f11cf8109708b
  linux/ppc64le sha256:5da731ea282bcd2c67f7e5fe889c765d936e1dbeb3c6f789024af509d8e6cec7
  linux/s390x   sha256:a550c8681c91641d57f4fff23c41630aa41e2a7b0b47260c2faf32e86437344e
 

       

      https://catalog.redhat.com/software/containers/rhel9/redis-7/64881353e0e10aaf1cbac8b7/history?architecture=amd64

       

       

      Reproducibility
      Always

       

      Prerequisites/Environment

      • OpenShift 4.x
      • GitOps Operator 1.16.0
      • Redis image: rhel9/redis-7
      • Prisma Cloud used for scanning

       

      Steps to Reproduce

      1. Deploy GitOps Operator version 1.16.0

      > rhel9/redis-7@sha256:1ff1c64049254cbefcc09337866663e2c2d0a895ec4ebde1cbaef908a63e7913

      > Version detected: gcc, version: 11.4.1-3.el9

      > Fixed in 11.5.0-5.el9_5

      > CVE portal page : https://access.redhat.com/security/cve/CVE-2020-11023

       

       

      Expected Results
      The GitOps bundle uses a recent, non-vulnerable version of the redis-7 image that uses gcc 11.5.0-5.el9_5.

       

      Actual Results
      An outdated redis-7 image is used, which has been flagged for CVE-2020-11023 due to gcc 11.4.1-3.el9.

       

      Fix Approaches

      • Update the GitOps 1.16.x bundle to use the latest available rhel9/redis-7 image
      • Ensure the new image has at least gcc 11.5.0-5.el9_5

       

      Acceptance Criteria

      • The GitOps bundle uses a recent Redis image with at least gcc 11.5.0-5.el9_5
      • CVE-2020-11023 is not present in the deployed image

       

       

              rh-ee-mmeetei Mangaal Meetei
              rh-ee-dcoronel David Coronel
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: