This bug was initially created as a copy of Bug #2104837 I am copying this bug because: In order to get the fix backported down to 4.10 I need to go through 4.12 and 4.11 Description of problem: Twistlock scan showed that openshift4/ose-operator-registry:v4.10 is vulnerable to following issues. Especially the containerd(github.com/containerd/containerd) is spotted vulnerable package and I believe the containerd version shipped is v1.4.11. Could you let me know what is the plan for fixing these vulnerabilities ? Thanks. List of Vulnerabilities: 1. CVE-2022-23648 A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 Nvd link - https://nvd.nist.gov/vuln/detail/CVE-2022-23648 2. CVE-2021-32760 A bug was found in containerd versions prior to 1.4.8 and 1.5.4 Nvd link - https://nvd.nist.gov/vuln/detail/CVE-2021-32760 3. CVE-2022-31030 A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API Ned link - https://nvd.nist.gov/vuln/detail/CVE-2022-31030 4. CVE-2021-41103 A bug was found in containerd that has been fixed in containerd 1.4.11 and containerd 1.5.7 Ned link - https://nvd.nist.gov/vuln/detail/CVE-2021-41103 5, CVE-2021-32760 A bug was found in containerd versions prior to 1.4.8 and 1.5.4 Nvd link - https://nvd.nist.gov/vuln/detail/CVE-2021-32760 Version-Release number of selected component (if applicable):v4.10 How reproducible: Running the twistlock scan on this image will show the vulnerability. Version-Release number of selected component (if applicable):
1, Create an OCP cluster with the fixed PR via cluster-bot mac:~ jianzhang$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.ci.test-2022-07-13-065224-ci-ln-k1jp0gk-latest True False 15m Cluster version is 4.11.0-0.ci.test-2022-07-13-065224-ci-ln-k1jp0gk-latest 2, Do a regression test. mac:~ jianzhang$ oc get pods -n openshift-marketplace NAME READY STATUS RESTARTS AGE 6518c26c328d59c33d7d6f89fe65ea07b7a25557afff7e96715335bed7zkz5x 0/1 Completed 0 72s 96696e0506a4eba64778179a5ae569ea7b881e9f37a48113754cba904dtgmfj 0/1 Completed 0 17s certified-operators-pt2pr 1/1 Running 0 46m community-operators-45vt4 1/1 Running 0 46m community-operators-v2ll5 0/1 Running 0 12s e8c9651078ae45ddb2807e3a07727d459b82d7def5572a7b7ccaae332bc4tdr 0/1 Completed 0 9m21s marketplace-operator-8c68d9b67-xwh2d 1/1 Running 1 (38m ago) 49m redhat-marketplace-hxgh8 1/1 Running 0 46m redhat-operators-8njvm 1/1 Running 0 46m No issue found for the containerd version updated, verify it.
pepegoncal We will need this fix on openshift4/ose-operator-registry:v4.10 please. Any ETA on fix please ?
@pegoncal I raised this bug to provide a fix for one-operator-registry:v4.10. Can you tell me what is ETA of it please ?
I'm sorry for the huge delay, but it's been merged a while ago =D https://bugzilla.redhat.com/show_bug.cgi?id=2118261
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399