Bug 2106449

Summary: openshift4/ose-operator-registry image is vulnerable to multiple CVEs
Product: OpenShift Container Platform Reporter: Per da Silva <pegoncal>
Component: OLMAssignee: Per da Silva <pegoncal>
OLM sub component: OLM QA Contact: Jian Zhang <jiazha>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: medium    
Version: 4.12   
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:52:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2106772    

Description Per da Silva 2022-07-12 17:15:42 UTC 
This bug was initially created as a copy of Bug #2104837

I am copying this bug because: 

In order to get the fix backported down to 4.10 I need to go through 4.12 and 4.11

Description of problem:

Twistlock scan showed that openshift4/ose-operator-registry:v4.10 is vulnerable to following issues. Especially the containerd(github.com/containerd/containerd) is spotted vulnerable package and I believe the containerd version shipped is v1.4.11.

Could you let me know what is the plan for fixing these vulnerabilities ? Thanks.

List of Vulnerabilities:

1. CVE-2022-23648
A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12
Nvd link - https://nvd.nist.gov/vuln/detail/CVE-2022-23648

2. CVE-2021-32760
A bug was found in containerd versions prior to 1.4.8 and 1.5.4
Nvd link - https://nvd.nist.gov/vuln/detail/CVE-2021-32760

3. CVE-2022-31030
A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API
Ned link - https://nvd.nist.gov/vuln/detail/CVE-2022-31030

4. CVE-2021-41103
A bug was found in containerd that has been fixed in containerd 1.4.11 and containerd 1.5.7
Ned link - https://nvd.nist.gov/vuln/detail/CVE-2021-41103

5, CVE-2021-32760
A bug was found in containerd versions prior to 1.4.8 and 1.5.4
Nvd link - https://nvd.nist.gov/vuln/detail/CVE-2021-32760


Version-Release number of selected component (if applicable):v4.10


How reproducible:
Running the twistlock scan on this image will show the vulnerability.
Version-Release number of selected component (if applicable):
Comment 1 Jian Zhang 2022-07-13 07:52:58 UTC 
1, Create an OCP cluster with the fixed PR via cluster-bot

mac:~ jianzhang$ oc get clusterversion
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.ci.test-2022-07-13-065224-ci-ln-k1jp0gk-latest   True        False         15m     Cluster version is 4.11.0-0.ci.test-2022-07-13-065224-ci-ln-k1jp0gk-latest

2, Do a regression test.
mac:~ jianzhang$ oc get pods -n openshift-marketplace
NAME                                                              READY   STATUS      RESTARTS      AGE
6518c26c328d59c33d7d6f89fe65ea07b7a25557afff7e96715335bed7zkz5x   0/1     Completed   0             72s
96696e0506a4eba64778179a5ae569ea7b881e9f37a48113754cba904dtgmfj   0/1     Completed   0             17s
certified-operators-pt2pr                                         1/1     Running     0             46m
community-operators-45vt4                                         1/1     Running     0             46m
community-operators-v2ll5                                         0/1     Running     0             12s
e8c9651078ae45ddb2807e3a07727d459b82d7def5572a7b7ccaae332bc4tdr   0/1     Completed   0             9m21s
marketplace-operator-8c68d9b67-xwh2d                              1/1     Running     1 (38m ago)   49m
redhat-marketplace-hxgh8                                          1/1     Running     0             46m
redhat-operators-8njvm                                            1/1     Running     0             46m

No issue found for the containerd version updated, verify it.
Comment 4 Kiran Darbha 2022-07-21 11:46:43 UTC 
pepegoncal We will need this fix on openshift4/ose-operator-registry:v4.10 please. Any ETA on fix please ?
Comment 5 Kiran Darbha 2022-08-30 09:59:19 UTC 
@pegoncal I raised this bug to provide a fix for one-operator-registry:v4.10. Can you tell me what is ETA of it please ?
Comment 8 Per da Silva 2023-01-10 13:57:46 UTC 
I'm sorry for the huge delay, but it's been merged a while ago =D https://bugzilla.redhat.com/show_bug.cgi?id=2118261
Comment 10 errata-xmlrpc 2023-01-17 19:52:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399