Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-7182

ose-kube-rbac-proxy in OpenShift GitOps pulling from outdated v4.13 stream

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.16.3
    • None
    • None
    • None
    • 2
    • GitOps Crimson Sprint 18

      Description of Problem

      • OpenShift GitOps 1.16.2's `ose-kube-rbac-proxy` container is vulnerable to `libxml2` CVEs (CVE-2024-56171, CVE-2025-24928, CVE-2025-22869) because it's pulling from an outdated v4.13 stream. This results in the inclusion of an approximately 3-month-old image that lacks critical `libxml2` security fixes released in RHEL 8 on March 12, 2025.

      Additional Info

      • N/A

      Problem Reproduction

      • To reproduce this, deploy OpenShift GitOps 1.16.2 and inspect the `ose-kube-rbac-proxy` container image. You'll observe that the image is outdated and contains the mentioned `libxml2` vulnerabilities.

      Reproducibility

      • Always

      Prerequisites/Environment

      • OpenShift GitOps 1.16.2
      • OpenShift Cluster (e.g., OCP 4.x)

      Steps to Reproduce

       

      $ podman pull --authfile ~/pull-secret.txt registry.redhat.io/openshift-gitops-1/gitops-operator-bundle:v1.16.2
$ cd $(mktemp -d)
$ echo 'FROM registry.redhat.io/openshift-gitops-1/gitops-operator-bundle:v1.16.2' > Dockerfile
$ podman build -o ./bundle -f Dockerfile .
$ cat ./bundle/manifests/*clusterserviceversion*
[...]
  relatedImages:
[...]
    - name: kube-rbac-proxy
      image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:baa41441752d6d739065eda587b92402e209c67fbcdacf0a40559d37c9e978eb
[...]
$ oc image info registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:baa41441752d6d739065eda587b92402e209c67fbcdacf0a40559d37c9e978eb
error: the image is a manifest list and contains multiple images - use --filter-by-os to select from:
  OS            DIGEST
  linux/amd64   sha256:89f44c45373da73a51b0b9a02de7efe519dc2d5343b65fe382526cccc92f8f5c
  linux/arm64   sha256:8239246872c538281d187f24180c1201f2e2ac3c3744dd6dee2c0a23979c0b1c
  linux/ppc64le sha256:21ad900a4507ac034ecb3d0f90faebb02a2af4613458a0ee0c45452d72b20b2a
  linux/s390x   sha256:b643a6c49df2ad47e4248a57caa2febec71c3dbc2fed90e8b5c778d1716f54e8
--> points to https://catalog.redhat.com/software/containers/openshift4/ose-kube-rbac-proxy/5cdb2634dd19c778293b4d98?image=67d045cbb41f87517552191d&architecture=amd64
which is 3 months old

       

      Expected Results

      • The `ose-kube-rbac-proxy` container image should be up-to-date, incorporating the latest `libxml2` fixes, and should not be vulnerable to CVE-2024-56171, CVE-2025-24928, or CVE-2025-22869. The image should be sourced from the latest available stream (v4.15 or newer).

      Actual Results

      • The `ose-kube-rbac-proxy` container image is outdated (approximately 3 months old as of the GitOps 1.16.2 release date) and contains the identified `libxml2` CVEs. The image is sourced from the v4.13 stream instead of the current v4.15 stream.

      Problem Analysis

      • We're currently pulling from an older stream (v4.13) of ose-kube-rbac-proxy in our product. The latest available stream is v4.15.

      Root Cause

      • We're currently pulling from an older stream (v4.13) of ose-kube-rbac-proxy in our product. 

      Workaround (If Possible)

      • N/A

      Fix Approaches

      Acceptance Criteria

      • The `ose-kube-rbac-proxy` container image in OpenShift GitOps is updated to a version that contains fixes for CVE-2024-56171, CVE-2025-24928, and CVE-2025-22869.
      • The `ose-kube-rbac-proxy` image is sourced from the latest available stable stream (currently v4.15 or newer).
      • A new OpenShift GitOps release is available that includes the updated `ose-kube-rbac-proxy` image.

      Definition of Done

      • Code Complete:
        • All code has been written, reviewed, and approved.
      • Tested:
        • Unit tests have been written and passed.
        • Ensure code coverage is not reduced with the changes.
        • Integration tests have been automated.
        • System tests have been conducted, and all critical bugs have been fixed.
        • Tested and merged on OpenShift either upstream or downstream on a local build.
      • Documentation:
        • User documentation or release notes have been written (if applicable).
      • Build:
        • Code has been successfully built and integrated into the main repository / project.
        • Midstream changes (if applicable) are done, reviewed, approved and merged.
      • Review:
        • Code has been peer-reviewed and meets coding standards.
        • All acceptance criteria defined in the user story have been met.
        • Tested by reviewer on OpenShift.
      • Deployment:
        • The feature has been deployed on OpenShift cluster for testing.

              rhn-support-alkumari Alka Kumari
              rh-ee-dcoronel David Coronel
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: