Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-5983

[release-6.0] CVE-2023-0286 affecting cluster-logging-rhel9-operator image

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Log Collection - Sprint 258
    • Important

      Description of problem:

      CVE-2023-0286 [1] affects cluster-logging-rhel9-operator image.

      The CVE affects the compat-openssl11 package, which is "manually" installed in the image as shown in the Dockerfile [2]. There is a private bug for RHEL 9 as shown in [3].

      As per [4], it's not clear if the compat-openssl11 package will be retired from RHEL 9 as the one for RHEL 8 was also retired as it's not wanted to fix CVEs for it [5].

      Version-Release number of selected component (if applicable):

      cluster-logging-rhel9-operator 5.9, 5.8

      How reproducible:

      Always

      Steps to Reproduce:

      1.  Package installed by the Dockerfile [1].

      Actual results:

      Vulnerable compat-openssl11 package affects cluster-logging-rhel9-operator image.

      Expected results:

      If possible, remove that package from the image (as it's not clear if it will be removed from RHCOS/UBI image [4]).

      Additional info:

      The CVE has "Important Impact", so setting this issue as "Priority Major".

       

      [1] https://access.redhat.com/security/cve/CVE-2023-0286
      [2] https://catalog.redhat.com/software/containers/openshift-logging/cluster-logging-rhel9-operator/644799230dfd5adb35db6f60?architecture=amd64&image=664ba70184b456c244d16502
      [3] https://bugzilla.redhat.com/show_bug.cgi?id=2164440#c3
      [4] https://issues.redhat.com/browse/COS-2371
      [5] https://issues.redhat.com/browse/COS-2461

              rojacob@redhat.com Robert Jacob
              oarribas@redhat.com Oscar Arribas Arribas
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: