Flaw was found in codecov. An error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify the Bash Uploader script. References: https://about.codecov.io/security-update/
Statement: Codecov is not usually a component shipped by products, but is sometimes used during product builds. The flaw is the outcome of an investigation into how the use of Covscan in our builds might have affects Red Hat products or services. Red Hat's internal build system (Koji) does not have egress to the internet so the malicious script could not have been used on those systems to ex-filtrate secret environment information directly. We are still investigating if upstream builds might have been impacted. OpenShift Container Platform's cri-o component is not affected because the GitHub actions job which executes codecov does not add any secrets: https://github.com/cri-o/cri-o/blob/8ab831e686740a25509514010fba4bb2abca0f28/.github/workflows/test.yml#L273-L282 OpenShift Container Platform's coredns component does not use codecov at all. OpenShift Container Platform's etcd component is not affected because it doesn't ship any binary upstream or downstream built with this testing Dockerfile which has a reference to the codecov bash uploader script. OpenShift Container Platform's ose-cluster-ingress-operator component is not affected because it does not use codecov during a Red Hat downstream build.