Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-15175

[Major Incident] CVE-2023-3089 osc-operator-container: openshift: OCP & FIPS mode [rhosc-1-4]

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None

      Security Tracking Issue

      Do not make this issue public.

      Impact: Major Incident
      Reported Date: 03-Jun-2023
      Resolve Bug By: 12-Jun-2023

      In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then.

      Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

      Flaw:

      CVE-2023-3089 openshift: OCP & FIPS mode
      https://bugzilla.redhat.com/show_bug.cgi?id=2212085

      The OCP components are based on go language and compiled with `CGO_ENABLED=0`. This disables any integration with OpenSSL and all crypto is then statically linked from go default libs. While the binaries do work on a FIPS-enabled machine, they don't use certified cryptography (OpenSSL).

            jfreiman Jens Freimann
            rhn-support-abhbaner Abhishek Banerjee
            Cameron Meadors Cameron Meadors
            Jian Zhang, Justin Pierce, Mrunal Patel, Neelesh Agrawal, Ryan Phillips, Victor Voronkov, Wei Duan, Xiaoli Tian
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: