Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2273325

Summary: CVE Critial Issue in the ibm-ceph/snmp-notifier-rhel8 Image
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: daniel parkes <dparkes>
Component: Ceph-DashboardAssignee: Nizamudeen <nia>
Status: CLOSED ERRATA QA Contact: Vinayak Papnoi <vpapnoi>
Severity: urgent Docs Contact: Anjana Suparna Sriram <asriram>
Priority: urgent    
Version: 5.3CC: amctagga, bkunal, ceph-eng-bugs, cephqe-warriors, dparkes, kdreyer, vpapnoi
Target Milestone: ---   
Target Release: 5.3z7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-06-26 09:22:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description daniel parkes 2024-04-04 08:11:00 UTC 
Description of problem:

In 5.3 the snmp-notifier-rhel8 container image has critical CVEs

image: cp/ibm-ceph/snmp-notifier-rhel8:1.2.1-50
CVE: CVE-2023-29405,  CVE-2023-29404, CVE-2023-29402, CVE-2023-24540, CVE-2023-24538

Comments from Sage in BZ https://bugzilla.redhat.com/show_bug.cgi?id=2264170:

snmp notifier:
https://catalog.redhat.com/software/containers/rhceph/snmp-notifier-rhel9/62bf18703352dc93755025ec?q=snmp&architecture=amd64&image=65cf8270ae62e2039ff7ccd7&container-tabs=dockerfile
pulls in golang from openshift. uses  openshift/golang-builder:rhel_8_golang_1.19 

we need to ensure we're on 1.19.10 or later for openshift's golang-builder.


Creating this BZ so we have an specific BZ for fixing the snmp-notifier issue so it doesn't get mixed up with the Prometheus CVE issue.
Comment 1 RHEL Program Management 2024-04-04 08:11:10 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 11 errata-xmlrpc 2024-06-26 09:22:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Updated rhceph-5.3 container image and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:4119