RHEL 8 has shipped on 30 May 2022 "rsyslog" security update RHSA with fix for "Important" CVE = RHSA-2022:4799 - Security Advisory == https://access.redhat.com/errata/RHSA-2022:4799 = CVE-2022-24903 == https://access.redhat.com/security/cve/CVE-2022-24903 = RPM Errata == https://errata.devel.redhat.com/advisory/95411 = Updated builds with fixes for CVE == rsyslog-8.2102.0-7.el8_6.1 Three ODF 4.10 Container images are impacted by the CVE, and needs re-spin to include the updated packages. Being "Important" CVE, the number of days to ship the Container images with fixes is 30 days after fixes have been shipped at RHEL. So the mandatory due date to ship the ODF 4.10 Container images with updated packages is 30 June 2022, to prevent CHI scores (Health Score) from dropping to grade C. = Impacted ODF 4.10 Container images (3) == Ceph Container Storage Interface (odf4/cephcsi-rhel8) === https://catalog.redhat.com/software/containers/odf4/cephcsi-rhel8/61153a826e1e42ca4d6defe2 == Rook Ceph Operator (odf4/rook-ceph-rhel8-operator) === https://catalog.redhat.com/software/containers/odf4/rook-ceph-rhel8-operator/612546e7dece23122b7a7cac == Multi-Cloud Object Gateway Core (odf4/mcg-core-rhel8) === https://catalog.redhat.com/software/containers/odf4/mcg-core-rhel8/61254a9cdece23122b7a7cad
OCP 4.10.17 and ODF 4.10.4(quay.io/rhceph-dev/ocs-registry:4.10.4-1):- On csi ceph container image and rook ceph operator image rsyslog is updated with the CVE fix csi-cephfsplugin sh-4.4# rpm -qa|grep rsyslog rsyslog-8.2102.0-7.el8_6.1.x86_64 rook-ceph-operator sh-4.4$ rpm -qa|grep rsyslog rsyslog-8.2102.0-7.el8_6.1.x86_64 Whereas on noobaa core/multicloud core operator rsyslog is still showing older version i.e."rsyslog-8.1911.0-7.el8_4.2.x86_64" noobaa core sh-4.4$ rpm -qa|grep rsyslog rsyslog-8.1911.0-7.el8_4.2.x86_64
OCP 4.10.0-0.nightly-2022-06-08-150219 and ODF odf-operator.v4.10.4(quay.io/rhceph-dev/ocs-registry:4.10.4-2):- Verified with latest build and closing the bug csi-cephfsplugin-4x8w9 sh-4.4# rpm -qa|grep rsyslog rsyslog-8.2102.0-7.el8_6.1.x86_64 noobaa core sh-4.4$ rpm -qa|grep rsyslog rsyslog-8.2102.0-7.el8_6.1.x86_64 rook-ceph-operator-5d8989f68c-7pl54 sh-4.4$ rpm -qa|grep rsyslog rsyslog-8.2102.0-7.el8_6.1.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenShift Data Foundation 4.10.4 Bug Fix Update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5196