Bug 1385581

Summary: CVEs on latest docker image by OpenSCAP
Product: Red Hat CloudForms Management Engine Reporter: Hayk Hovsepyan <hhovsepy>
Component: cfme-containerAssignee: Satoe Imaishi <simaishi>
Status: CLOSED CURRENTRELEASE QA Contact: Hayk Hovsepyan <hhovsepy>
Severity: high Docs Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Priority: medium    
Version: unspecifiedCC: bazulay, cpelland, dajohnso, jhardy, mfoley, mmahoney, pgier
Target Milestone: GAKeywords: TestOnly
Target Release: 5.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: container:security
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-11 20:05:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Container Management Target Upstream Version:

Description Hayk Hovsepyan 2016-10-17 10:54:02 UTC 
Description of problem:
Did run the CVE scan of OpenSCAP tool on "cloudforms/cfme:latest" and it showed Vulnerabilities.


Version-Release number of selected component (if applicable):
Digest: sha256:85635d603cae8e0414765ff858afb6f7c678c715e3c32e0fe9709db281a081b3
Comment 5 Barak 2016-12-01 15:48:30 UTC 
Satoe, 

I would imagine that this is not relevant anymore ?
Can you please verify ?
Comment 6 Satoe Imaishi 2016-12-02 14:07:26 UTC 
Checked the image with the reported sha.

The first 2 (RHSA-2016:1944-01 and RHSA-2016:1940-01) are not problem on that image.  The image has the RPMs with the CVE fixes already and I'm not sure why those CVEs are reported.

The last one, RHSA-2016:1626-00, was indeed a problem.  The CFME builds take the latest released RPMs from RHEL 7 repos.  Since the CVE fix was released in August and CFME build was in October, I don't understand why the new RPM wasn't included.  The repos have been updated since, and I will not be able to check if there was a problem with the repo at the time.

Confirmed the latest image (5.7.0.13) has all reported fixes included.
Comment 7 Hayk Hovsepyan 2016-12-14 15:50:52 UTC 
Verified on CR2 docker image of cloudforms/cfme.
All previously found missing CVEs are included now.
OpenSCAP report is green.