Bug 2208493

+++ This bug was initially created as a clone of Bug #2190145 +++

Description of problem (please be detailed as possible and provide log
snippests):
We are facing security vulnerability with the packages using on ocs-operator (https://github.com/red-hat-storage/ocs-operator) which is Rook and Vault.

CVE-2022-3931
CVE-2023-24999
CVE-2023-0620

The following CVEs are reeported againt packages rook and Vault. Rook has to be atleast updated to version v1.11.3 or above to fix the issues as Vault CVE is present in rook version lower than v1.11.3.

I can see the similar error on ODF version 4.12, 4.11, 4.10 and 4.9. So the fixes has to be provided for all these version.

Also the odf-operator (https://github.com/red-hat-storage/odf-operator) which is having ocs-operator as dependent repo has to be updated once fixes are rolled out


Version of all relevant components (if applicable):
4.12, 4.11, 4.10 and 4.9


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
Yes, we are getting CVE error in our repos


Is there any workaround available to the best of your knowledge?
update the vulnerable package to the compactable version


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
1

Can this issue reproducible?
yes

Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1.
2.
3.


Actual results:
Packages with CVEs found

Expected results:
All packages will not have any CVEs


Additional info:

--- Additional comment from RHEL Program Management on 2023-04-27 09:44:14 UTC ---

This bug having no release flag set previously, is now set with release flag 'odf‑4.13.0' to '?', and so is being proposed to be fixed at the ODF 4.13.0 release. Note that the 3 Acks (pm_ack, devel_ack, qa_ack), if any previously set while release flag was missing, have now been reset since the Acks are to be set against a release flag.

--- Additional comment from Gayathri Menath on 2023-04-27 10:08:20 UTC ---

@gayathri.m

--- Additional comment from Mudit Agarwal on 2023-05-10 03:21:12 UTC ---

Subham, which version of vault are we using in 4.13 to 4.9 in rook?
Please list here.

--- Additional comment from Gayathri Menath on 2023-05-11 07:55:59 UTC ---

https://bugzilla.redhat.com/show_bug.cgi?id=2203081 -  I have raised one more issue, could you please take care while fixing this issue as well.

--- Additional comment from Subham Rai on 2023-05-11 09:37:27 UTC ---

(In reply to Mudit Agarwal from comment #3)
> Subham, which version of vault are we using in 4.13 to 4.9 in rook?
> Please list here.

4.13: github.com/hashicorp/vault v1.13.1

4.12: github.com/hashicorp/vault v1.11.2

4.11:  github.com/hashicorp/vault v1.10.0

4.10: 	github.com/hashicorp/vault v1.8.2

4.19: github.com/hashicorp/vault v1.8.2

Done.

Do you also need the vault API and other vault pkg versions?

--- Additional comment from Mudit Agarwal on 2023-05-15 17:41:00 UTC ---

Thanks Subham, so this needs to be fixed from 4.12 till 4.9
I am not sure whether it is possible to upgrade this package in the z-stream or not due to other dependencies.

Subham, do you want to check this from rook's perspective?

--- Additional comment from Subham Rai on 2023-05-16 14:54:10 UTC ---

I'll check from rook side, I'm keeping needinfo on me so that I have this on track.

--- Additional comment from Gayathri Menath on 2023-05-19 06:01:13 UTC ---

Can I get some update on this? Could you please share the ETA?

--- Additional comment from Subham Rai on 2023-05-19 06:21:25 UTC ---

by early next week.