RHEL 8 has shipped on 13 June 2022 "xz" security update RHSA with fix for "Important" CVE = RHSA-2022:4991 - Security Advisory == https://access.redhat.com/errata/RHSA-2022:4991 = CVE-2022-1271 == https://access.redhat.com/security/cve/CVE-2022-1271 = RPM Errata == https://errata.devel.redhat.com/advisory/96360 = Updated builds with fixes for CVE == xz-5.2.4-4.el8_6 Sixteen ODF 4.10 Container images are impacted by the CVE, and needs re-spin to include the updated packages. Being "Important" CVE, the number of days to ship the Container images with fixes is 30 days after fixes have been shipped at RHEL. So the mandatory due date to ship the ODF 4.10 Container images with updated packages is 13 July 2022, to prevent CHI scores (Health Score) from dropping to grade C. = Impacted ODF 4.9 Container images (16) == OpenShift Data Foundation Console (odf4/odf-console-rhel8) === https://catalog.redhat.com/software/containers/odf4/odf-console-rhel8/612f5bad539c8cedbde1cd56 == OpenShift Data Foundation MultiCluster Operator (odf4/odf-multicluster-rhel8-operator) === https://catalog.redhat.com/software/containers/odf4/odf-multicluster-rhel8-operator/612ffcbc539c8cedbde1d179 == OpenShift Data Foundation Disaster Recovery Operator (odf4/odr-rhel8-operator) === https://catalog.redhat.com/software/containers/odf4/odr-rhel8-operator/612555acdece23122b7a7cae == Volume Replication Operator (odf4/volume-replication-rhel8-operator) === https://catalog.redhat.com/software/containers/odf4/volume-replication-rhel8-operator/61254940bd674341b5c5f470 == Multi-Cloud Object Gateway Operator (odf4/mcg-rhel8-operator) === https://catalog.redhat.com/software/containers/odf4/mcg-rhel8-operator/61254b55bd674341b5c5f471 == Multi-Cloud Object Gateway Core (odf4/mcg-core-rhel8) === https://catalog.redhat.com/software/containers/odf4/mcg-core-rhel8/61254a9cdece23122b7a7cad == OpenShift Data Foundation Must Gather (odf4/ocs-must-gather-rhel8) === https://catalog.redhat.com/software/containers/odf4/ocs-must-gather-rhel8/614cda2c69cb9f1af5ba6ad3 == Ceph Container Storage Interface (odf4/cephcsi-rhel8) === https://catalog.redhat.com/software/containers/odf4/cephcsi-rhel8/61153a826e1e42ca4d6defe2 == Rook Ceph Operator (odf4/rook-ceph-rhel8-operator) === https://catalog.redhat.com/software/containers/odf4/rook-ceph-rhel8-operator/612546e7dece23122b7a7cac == OpenShift Container Storage Operator (odf4/ocs-rhel8-operator) === https://catalog.redhat.com/software/containers/odf4/ocs-rhel8-operator/612f4c2e7b37b351c172d00b == OpenShift Data Foundation Operator (odf4/odf-rhel8-operator) === https://catalog.redhat.com/software/containers/odf4/odf-rhel8-operator/612535caeb34b73652493062 == OpenShift Data Foundation Container Storage Interface Addons Sidecar (odf4/odf-csi-addons-sidecar-rhel8) === https://catalog.redhat.com/software/containers/odf4/odf-csi-addons-sidecar-rhel8/61e14eab223cb93ac44f9e34 == OpenShift Data Foundation Container Storage Interface Addons Operator (odf4/odf-csi-addons-rhel8-operator) === https://catalog.redhat.com/software/containers/odf4/odf-csi-addons-rhel8-operator/61e14eaafb528ee347236b73 == OpenShift Data Foundation LVM Must Gather (odf4/odf-lvm-must-gather-rhel8) === https://catalog.redhat.com/software/containers/odf4/odf-lvm-must-gather-rhel8/61e6fb27acbf20746c2ed57a == OpenShift Data Foundation TopoLVM (odf4/odf-topolvm-rhel8) === https://catalog.redhat.com/software/containers/odf4/odf-topolvm-rhel8/61d4aae39ea53314a92f88d9 == OpenShift Data Foundation LVM Operator (odf4/odf-lvm-rhel8-operator) === https://catalog.redhat.com/software/containers/odf4/odf-lvm-rhel8-operator/61c1f30917f914cd723307f4
OCP 4.10.17 and ODF 4.10.4(quay.io/rhceph-dev/ocs-registry:4.10.4-1): Verified on the operator images which were installed by default in open-shift storage. odf console sh-4.4$ rpm -qa|grep xz xz-5.2.4-4.el8_6.x86_64 noobaa core sh-4.4$ rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64 noobaa operator sh-4.4$ rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64 sh-4.4$ ceph csi sh-4.4# rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64 rook ceph operator sh-4.4$ rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64 ocs-operator sh-4.4$ rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64
OCP 4.10.17 and ODF 4.10.4(quay.io/rhceph-dev/ocs-registry:4.10.4-2): Verified on the operator images which were installed by default in open-shift storage. odf-console sh-4.4$ rpm -qa|grep xz xz-5.2.4-4.el8_6.x86_64 xz-libs-5.2.4-4.el8_6.x86_64 sh-4.4$ noobaa core h-4.4$ rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64 sh-4.4$ noobaa operator sh-4.4$ rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64 sh-4.4$ ocs-operator sh-4.4$ rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64 csi-cephfsplugin-5bvtz sh-4.4# rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64 sh-4.4# rook-ceph-operator-5d8989f68c-7pl54 sh-4.4$ rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64 must-gather-s5fqp-helper sh-4.4$ rpm -qa|grep xz xz-libs-5.2.4-4.el8_6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenShift Data Foundation 4.10.4 Bug Fix Update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5196