-
Bug
-
Resolution: Done-Errata
-
Major
-
Logging 5.8.z, Logging 5.9.z
-
False
-
None
-
False
-
NEW
-
VERIFIED
-
Release Note Not Required
-
-
-
-
Log Collection - Sprint 258
-
Important
Description of problem:
CVE-2023-0286 [1] affects cluster-logging-rhel9-operator image.
The CVE affects the compat-openssl11 package, which is "manually" installed in the image as shown in the Dockerfile [2]. There is a private bug for RHEL 9 as shown in [3].
As per [4], it's not clear if the compat-openssl11 package will be retired from RHEL 9 as the one for RHEL 8 was also retired as it's not wanted to fix CVEs for it [5].
Version-Release number of selected component (if applicable):
cluster-logging-rhel9-operator 5.9, 5.8
How reproducible:
Always
Steps to Reproduce:
- Package installed by the Dockerfile [1].
Actual results:
Vulnerable compat-openssl11 package affects cluster-logging-rhel9-operator image.
Expected results:
If possible, remove that package from the image (as it's not clear if it will be removed from RHCOS/UBI image [4]).
Additional info:
The CVE has "Important Impact", so setting this issue as "Priority Major".
[1] https://access.redhat.com/security/cve/CVE-2023-0286
[2] https://catalog.redhat.com/software/containers/openshift-logging/cluster-logging-rhel9-operator/644799230dfd5adb35db6f60?architecture=amd64&image=664ba70184b456c244d16502
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2164440#c3
[4] https://issues.redhat.com/browse/COS-2371
[5] https://issues.redhat.com/browse/COS-2461
- is cloned by
-
-
- Verified
-
- is related to
-
COS-2371 Determine RHEL 8/9 compat plan for tools on OCP mirror
-
- New
-
- links to
-
RHBA-2024:137867
Logging for Red Hat OpenShift - 5.9.6
- mentioned on
