Description of Problem

• Customers are seeing CVE-2024-45337 reported by Red Hat Advanced Cluster Security (RHACS) against the OpenShift GitOps Operator v1.18.1 (ArgoCD-based) images.

Although the GitOps engineering team previously confirmed that the vulnerability was remediated, recent scans indicate that the issue reappeared because of a regression in the git-lfs binary, which still bundles a vulnerable version of golang.org/x/crypto (v0.21.0, fixed in v0.31.0).

Multiple scanners (Trivy, Grype, Clair) report the CVE in the following image:

registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:f217d2b894fc579013db354ee21aceba9290dce008ae07cff3693483314b4fa7

RHACS is configured with ROX_SCANNER_V4_RED_HAT_LAYERS_RED_HAT_VULNS_ONLY, which should report only Red Hat–maintained vulnerabilities, yet this CVE persists, indicating the image still contains the vulnerable dependency.

The GitOps team confirmed that due to prior dependency changes, the git-lfs binary now triggers the CVE again and requires an update.

Additional Info

CVE: CVE-2024-45337

Severity: Critical (CVSS 9.1), RHSA marks it as Important (8.2)

Binary Affected: usr/local/bin/git-lfs

Dependency: golang.org/x/crypto v0.21.0 → needs update to ≥ v0.31.0

Reference threads:

• • https://redhat-internal.slack.com/archives/C01R0E7CVMX/p1762349024267079
  • https://redhat-internal.slack.com/archives/CMP95ST2N/p1763023115741239

Problem Reproduction

• Deploy OpenShift GitOps Operator v1.18.1 on an OpenShift cluster.

Run RHACS, Trivy, or Grype scans against the following image:

registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:f217d2b894fc579013db354ee21aceba9290dce008ae07cff3693483314b4fa7

• Observe that CVE-2024-45337 is flagged against the git-lfs binary.

Reproducibility

• Always

Prerequisites/Environment

• OpenShift Container Platform 4.x
• OpenShift GitOps Operator v1.18.1 (ArgoCD-based)
• RHACS configured with:

 ROX_SCANNER_V4_RED_HAT_LAYERS_RED_HAT_VULNS_ONLY=true   

• Image:

registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:f217d2b894fc579013db354ee21aceba9290dce008ae07cff3693483314b4fa7
 

Steps to Reproduce

• Pull the image locally or from a cluster node.

Run:

trivy image registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:f217d2b894fc579013db354ee21aceba9290dce008ae07cff3693483314b4fa7 

• Review the scan output for:

usr/local/bin/git-lfs (gobinary)
golang.org/x/crypto CVE-2024-45337 CRITICAL v0.21.0 Fixed in 0.31.0

Expected Results

• RHACS and other scanners should not report CVE-2024-45337, indicating that the vulnerable dependency has been updated and VEX metadata correctly reflects the remediation.

Actual Results

• CVE-2024-45337 is still flagged in multiple scanners due to outdated git-lfs dependency containing vulnerable golang.org/x/crypto library.

Problem Analysis

• (Engineering to complete during triage)
  Preliminary analysis suggests the vulnerable version of golang.org/x/crypto is being included via the git-lfs binary, which was not rebuilt after upstream changes in dependency management.

Root Cause

• Dependency regression in the git-lfs binary, which reintroduced the vulnerable version of golang.org/x/crypto (v0.21.0). The image was not rebuilt with the fixed dependency (v0.31.0).

Workaround (If Possible)

• No direct workaround at this time.
• Customers may ignore the CVE if validated by Red Hat Security as a false positive, or wait for a rebuilt image containing the updated git-lfs binary.

Fix Approaches

• Rebuild the affected image with an updated git-lfs dependency using golang.org/x/crypto v0.31.0 or later.

Ensure RHSA/VEX data reflects the fix once the image is rebuilt.

Verify via internal Clair and RHACS scans before release.