RHEL has shipped on 22 August 2023 "subscription-manager" security update RHSA with fix for "Important" CVE = RHSA-2023:4708 - Security Advisory == https://access.redhat.com/errata/RHSA-2023:4708 = RHSA-2023:4707 - Security Advisory == https://access.redhat.com/errata/RHSA-2023:4707 = RHSA-2023:4706 - Security Advisory == https://access.redhat.com/errata/RHSA-2023:4706 = RHSA-2023:4705 - Security Advisory == https://access.redhat.com/errata/RHSA-2023:4705 = CVE-2023-3899 == https://access.redhat.com/security/cve/CVE-2023-3899 = RPM Errata == https://errata.devel.redhat.com/advisory/118548 == https://errata.devel.redhat.com/advisory/118559 == https://errata.devel.redhat.com/advisory/118630 == https://errata.devel.redhat.com/advisory/118649 = Impacts multiple container images at ODF == Rook Ceph Operator (odf4/rook-ceph-rhel9-operator) == ODF MultiCluster Console (odf4/odf-multicluster-console-rhel9) == OpenShift Data Foundation Console (odf4/odf-console-rhel9) == Ceph Container Storage Interface (odf4/cephcsi-rhel9) == Multi-Cloud Object Gateway Core (odf4/mcg-core-rhel9) == ODF MultiCluster Console (odf4/odf-multicluster-console-rhel8) == OpenShift Data Foundation LVM Must Gather (odf4/odf-lvm-must-gather-rhel8) == OpenShift Data Foundation Must Gather (odf4/ocs-must-gather-rhel8) == OpenShift Data Foundation Console (odf4/odf-console-rhel8) == Multi-Cloud Object Gateway Core (odf4/mcg-core-rhel8) == Rook Ceph Operator (odf4/rook-ceph-rhel8-operator) == Ceph Container Storage Interface (odf4/cephcsi-rhel8) = Packages Impacted == python3-cloud-what == python3-subscription-manager-rhsm == subscription-manager == subscription-manager-rhsm-certificates == dnf-plugin-subscription-manager == python3-syspurpose Being "Important" CVE, the number of days to ship the Container images with fixes is 30 days after fixes have been shipped at RHEL. So the mandatory due date to ship the ODF 4.12 Container images with updated packages is 21 September 2023, to prevent CHI scores (Health Score) from dropping to grade C.
Containers having greater version of subscription-manager 1.29.26.2-2 is required, whereas with ODF 4.12.8 its still showing 1.28.36-3.el8_8.x86_64. Hence marking the bug as failedQA OCP version:4.12.0-0.nightly-2023-09-12-091728 ODF version:4.12.8 odf-console-6579d5869c-8wtsv: sh-4.4$ rpm -qa|grep subsc subscription-manager-1.28.36-3.el8_8.x86_64 subscription-manager-rhsm-certificates-1.28.36-3.el8_8.x86_64 python3-subscription-manager-rhsm-1.28.36-3.el8_8.x86_64 dnf-plugin-subscription-manager-1.28.36-3.el8_8.x86_64 sh-4.4$ csi-cephfsplugin-49gth sh-4.4# rpm -qa|grep sub subscription-manager-rhsm-certificates-1.28.29.1-2.el8_6.x86_64 dnf-plugin-subscription-manager-1.28.29.1-2.el8_6.x86_64 python3-subscription-manager-rhsm-1.28.29.1-2.el8_6.x86_64 subscription-manager-1.28.29.1-2.el8_6.x86_64 sh-4.4# noobaa-core-0 sh-4.4$ rpm -qa|grep subsc subscription-manager-1.28.36-3.el8_8.x86_64 subscription-manager-rhsm-certificates-1.28.36-3.el8_8.x86_64 python3-subscription-manager-rhsm-1.28.36-3.el8_8.x86_64 dnf-plugin-subscription-manager-1.28.36-3.el8_8.x86_64 sh-4.4$
ODF 4.12.8 is based on RHEL8. As per this bz https://bugzilla.redhat.com/show_bug.cgi?id=2225407, I see two security updates https://access.redhat.com/errata/RHSA-2023:4705(extended update support) and https://access.redhat.com/errata/RHSA-2023:4706 which points to the updated package version `1.28.29.1-2.el8_6.src.rpm` (eg, subscription-manager-1.28.29.1-2.el8_6.src.rpm). I see the correct version in the above list for RHEL8 based container images.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenShift Data Foundation 4.12.8 Bug Fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:5377