-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
False
-
-
False
-
ToDo
-
-
A 4.18 cluster using MTC 1.8.12 (target cluster) and a 4.12 cluster using MTC 1.8.8 (source cluster). Since installing the operator we get security warnings of unfixed vulnerabilities in rsync.
The rsync pod seems to be using an image based on RHEL 8
image: 'registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:dbe5dccbde414209e0e6b398b528dcc7d1dbb17f50ac14ab73c3b0a498e71960'
The following CVEs are reported by the scanner as not being fixed:
CVE-2024-12084; CVE-2024-12085; CVE-2024-12086; CVE-2024-12087; CVE-2024-12088; CVE-2024-12747
...
image: 'registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:dbe5dccbde414209e0e6b398b528dcc7d1dbb17f50ac14ab73c3b0a498e71960'
Looking into the catalog
following CVEs have been checked according to the provided list by the scanner:
https://access.redhat.com/security/cve/cve-2024-12084 -> RHEL 8 Not Affected
https://access.redhat.com/security/cve/cve-2024-12085 -> Fixed in https://access.redhat.com/errata/RHSA-2025:0325 rsync-3.1.3-20.el8_10.src.rpm
https://access.redhat.com/security/cve/cve-2024-12086 -> RHEL 8 Affected not fixed yet
https://access.redhat.com/security/cve/cve-2024-12087 -> Fixed in https://access.redhat.com/errata/RHSA-2025:2600 rsync-3.1.3-21.el8_10.src.rpm
https://access.redhat.com/security/cve/cve-2024-12088 -> Fixed in https://access.redhat.com/errata/RHSA-2025:2600 rsync-3.1.3-21.el8_10.src.rpm
https://access.redhat.com/security/cve/cve-2024-12747 -> Fixed in https://access.redhat.com/errata/RHSA-2025:2600 rsync-3.1.3-21.el8_10.src.rpm
The image in use by MTC is running rsync-3.1.3-20.el8_8.1.x86_64 so the above CVEs are correctly reported as not being resolved.
The 1.8.8 version of MTC seems to be using rsync-3.1.3-23.el8_10.x86_64 which fixes the above vulnerabilities.
We need an updated version of the image for revent version of MTC shipping a newer version of rsync rpm to fix the vulnerabilities.