URL: https://role.rhu.redhat.com/rol-rhu/app/courses/do180-4.12/pages/ch03s03
Reporter RHNID: yuvaraj-rhls
Section: images - Find and Inspect Container Images
Language: en-US (English)||||||||
Workaround:

Description: Description: DO180-OCP4.12-en-1-20230406 page 179 and the video ch03s03 at 2:20 all say that Red Hat container images are free of known vulnerabilities. This is not what Red Hat promises. The specific wording from the workbook is "Red Hat rebuilds all components to avoid known security vulnerabilities" and "Vulnerability-free: Container images are free of known vulnerabilities in the platform components or layers." According to https://access.redhat.com/articles/2208321 , base RHEL and UBI images are rebuilt within "hours or days" when a Critical or Important CVE is released. Lower priority vulnerabilities have their fixes released every 6 weeks if available, but they are not always fixed, per the policy in https://access.redhat.com/support/policy/updates/errata . This means that a vulnerability may be known and never fixed, or known and fixed eventually with no public promise as to when. As a specific example https://access.redhat.com/security/cve/cve-2021-21708 (rated "medium") was made public on Feb 16 2022, and was present in the ubi8/php-74 image. A fixed package was released on Nov 8 2022 and was picked up in the next rebuild of ubi8/php-74. Thank you!

User Name: daxelrod
daxelrod@redhat.com