2223935 – github.com/hashicorp/vault CVE on ocs-operator

Bug 2223935 - github.com/hashicorp/vault CVE on ocs-operator

Summary: github.com/hashicorp/vault CVE on ocs-operator

Keywords:
Status:	MODIFIED
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	ocs-operator
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Malay Kumar parida
QA Contact:	Elad
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-19 10:21 UTC by Gayathri Menath
Modified:	2023-08-09 17:00 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	red-hat-storage ocs-operator pull 2113	0	None	Merged	Update rook version to v1.12.0	2023-08-05 13:47:53 UTC

Description Gayathri Menath 2023-07-19 10:21:43 UTC

Below listed CVEs are listed by github.com/hashicorp/vault library and as ocs-operator is using by our module, we are getting the below CVEs. Please upgrade the Rook package to newest version to avoid these CVEs
CVE-2022-40186 
CVE-2022-41316
CVE-2023-0620
CVE-2023-0665
CVE-2023-2121
CVE-2023-24999
CVE-2023-25000

Comment 3 Malay Kumar parida 2023-08-05 13:47:53 UTC

With the update to rook package version 1.12 which will be used in ODF 4.14, we have upgraded to v1.13.4 for the hashicorp/vault package. 
Upon checking I found the version 1.13.4 free from all the CVEs mentioned above. Moving to Modified.

* Note for QE
This is just a package version upgrade, a regression run is good enough to mark it as verified.

Note You need to log in before you can comment on or make changes to this bug.