<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Hello Sokratis,</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">thank you very much that you took the time for the explanation. It helped a lot. I had a meeting with the customer yesterday. </div><div class="gmail_default" style="font-family:tahoma,sans-serif">It is still unclear why the RHEL8 repo is marked it as won't fix, but the CVE was fixed in eap7.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">The customer is going to open support case.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Thank you again,</div><div class="gmail_default" style="font-family:tahoma,sans-serif">  Stefan</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">   </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 30, 2021 at 1:47 AM Sokratis Zappis <<a href="mailto:szappis@redhat.com">szappis@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>Hello Stefan,</div><div><br></div></div><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 28, 2021 at 1:13 PM Stefan Bergstein <<a href="mailto:stefan.bergstein@redhat.com" target="_blank">stefan.bergstein@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:tahoma,sans-serif"><span style="font-family:Arial,Helvetica,sans-serif">Hello Sokratis, hi </span><span style="font-family:Arial,Helvetica,sans-serif">Software Collections team,</span></div><div style="font-family:tahoma,sans-serif"><span style="font-family:Arial,Helvetica,sans-serif"><br></span></div><div style="font-family:tahoma,sans-serif"><span style="font-family:Arial,Helvetica,sans-serif">I am writing to you because you are listed as maintainer of the </span><span class="gmail_default"></span><span style="font-family:Arial,Helvetica,sans-serif">Apache HTTP 2.4 [</span><span style="font-family:Arial,Helvetica,sans-serif">Sokratis] and </span><span class="gmail_default"></span><span style="font-family:Arial,Helvetica,sans-serif">JBoss Web Server 5.5 (OpenJDK8) on UBI 8 [</span><span style="font-family:Arial,Helvetica,sans-serif">sclorg] images.</span></div><br>My customer Bosch raised a security issue about Red Hat Container images in the <span class="gmail_default" style="font-family:tahoma,sans-serif"></span>Red Hat Container Catalog [1].<br>In short, software packages in Red Hat Container images are<span class="gmail_default" style="font-family:tahoma,sans-serif"> </span>not updated according CVE recommendations<span class="gmail_default" style="font-family:tahoma,sans-serif"> and/or do not contain the required CVE information.</span><div><br></div><div>Two examples from the customer's SRE team:<br><br><span class="gmail_default" style="font-family:tahoma,sans-serif"></span><span class="gmail_default" style="font-family:tahoma,sans-serif"><b></b></span><b>Apache HTTP 2.4.x<span class="gmail_default" style="font-family:tahoma,sans-serif"> </span></b><br><br>The CVE-2021-36160 [2] describes that Apache HTTP Server versions 2.4.30 to 2.4.48 are impacted.<br>The current Red Hat Apache HTTP 2.4 image [3] (1-156, latest, 7 day old) contain httpd 2.4.37 and also does not indicate the CVE-2021-36160<br><br><br><span class="gmail_default" style="font-family:tahoma,sans-serif"></span><b><span class="gmail_default" style="font-family:tahoma,sans-serif"></span>JBoss Web Server 5.5 (OpenJDK8) on UBI 8</b><br><br>The CVE-2021-29425 [4] describes that Apache Commons IO before 2.7 are impacted. The current JBoss Web Server 5.5 (OpenJDK8) on UBI 8 image [5] (1.0-51627017160 latest, 2 month old) still contains Apache-commons-io 2.6 also does not indicate the CVE-2021-29425.<br><br>The customer's SRE team must respond to the Bosch CERT Advisory and is requesting the following information<span class="gmail_default" style="font-family:tahoma,sans-serif">:</span><br><ol><li>In both examples, are the CVE not fixed yet? </li></ol></div></div></blockquote><div>That is partly right. If you check 
<a href="https://access.redhat.com/security/cve/CVE-2021-36160" target="_blank">https://access.redhat.com/security/cve/CVE-2021-36160</a> you will see that 
no erratum is attached in the relevant column for any platform, which means that no RHSA 
has been released yet containing an rpm that addresses this CVE. For the second CVE <a href="https://access.redhat.com/security/cve/CVE-2021-29425" target="_blank">https://access.redhat.com/security/cve/CVE-2021-29425</a> , you will see that the the RHEL8 and Software collections have marked it as won't fix, so again you cannot expect an updated RPM from those channels coming to address it. In the case of the JWS containers which I'm responsible for, we as a 
product are responsible to address CVEs in the scope of our own product 
(JWS), all the rest of the packages that are in the container are 
inherited/brought by the software collections and the RHEL8 repos.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><ol><li>CVE-2021-36160 is moderate [6], but the Red Hat Container Catalog does not show any information. Is there any reason?</li></ol></div></div></blockquote><div>Since no erratum exists which releases an rpm that fixes certain CVE(s) for a package (httpd in this instance), the relevant containers which consume this package do not show up as affected, even though the package itself might be affected. The containers only appear affected to CVEs, if RHSAs containing RPMs which fix those CVEs have already been released, and the container images have not yet consumed them to have the latest available RPM packages installed.<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><ol><li>CVE-2021-29425 seems to be fixed for Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 but not for the JBoss Web Server 5.5 (OpenJDK8) on UBI 8 image, but the Red Hat Container Catalog does not show any information. Is there any reason?</li></ol></div></div></blockquote><div>If you check the relevant errata columns in <a href="https://access.redhat.com/security/cve/CVE-2021-29425" target="_blank">https://access.redhat.com/security/cve/CVE-2021-29425</a>, you will see that EAP has provided a fix on the following <a href="https://access.redhat.com/errata/RHSA-2021:3658" target="_blank">RHSA </a>, with the updated package being <b>eap7-apache-commons-io-2.10.0-1.redhat_00001.1.el8eap.noarch.rpm . </b>If you check the rpm contents of the container images though, you will notice that this package is not installed in the container image, this is why the CVE does not show up in the container catalog. You can check the installed packages of JWS and EAP in the following links: <a href="https://catalog.redhat.com/software/containers/jboss-webserver-5/webserver55-openjdk8-tomcat9-openshift-rhel8/603fac47dbb14c0b8248b380?container-tabs=packages" target="_blank">JWS 5.5 (OpenJDK8) on UBI 8</a> and <a href="https://catalog.redhat.com/software/containers/jboss-eap-7/eap74-openjdk11-openshift-rhel8/6054ceca93acb006e7349a98?container-tabs=packages" target="_blank">JBoss EAP 7.4 with OpenJDK11</a> . For JWS, we inherit the apache-commons package in our container image from the RHEL8 repo which has marked it as won't fix, hence no RHSA present there, so the container doesn't show as affected. My guess is that the same stands for the EAP container as well, but I'm adding <a class="gmail_plusreply" id="gmail-m_6629318130126647704m_-5021487254548693220plusReplyChip-0" href="mailto:kwills@redhat.com" target="_blank">@Ken Wills</a> who is responsible for the EAP containers to the thread to comment if needed.<br><b></b></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><span class="gmail_default" style="font-family:tahoma,sans-serif">Please let me also when I misinterpreted the CVE data on the </span><span class="gmail_default" style="font-family:tahoma,sans-serif"></span>Red Hat Container Catalog<span class="gmail_default" style="font-family:tahoma,sans-serif">.</span></div></div></blockquote><div><br></div><div>The bottom line is that for the containers' world, what we care about is the health index, which is calculated against the RPM contents of the container, and is affected only by Critical and Important CVEs as you can see <a href="https://access.redhat.com/articles/2803031" target="_blank">here</a> .</div><div><br></div><div>Cheers,</div><div>Sokratis<br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><span class="gmail_default" style="font-family:tahoma,sans-serif"><br></span></div><div><span class="gmail_default" style="font-family:tahoma,sans-serif">Thank you,</span></div><div><span class="gmail_default" style="font-family:tahoma,sans-serif">  Stefan</span></div><div><span class="gmail_default" style="font-family:tahoma,sans-serif"><br></span></div><div dir="ltr"><div dir="ltr"><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px;padding:0px;text-transform:capitalize"><br></p></div></div><div>[1] <a href="https://catalog.redhat.com/software/containers/search" target="_blank">https://catalog.redhat.com/software/containers/search</a></div><div>[2] <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160</a><br>[3] <a href="https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security" target="_blank">https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security</a><br>[4] <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425</a><br>[5] <a href="https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security" target="_blank">https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security</a><br><div style="font-family:tahoma,sans-serif"><span style="font-family:Arial,Helvetica,sans-serif">[6] <a href="https://access.redhat.com/security/cve/CVE-2021-36160" target="_blank">https://access.redhat.com/security/cve/CVE-2021-36160</a></span></div><div style="font-family:tahoma,sans-serif"><br></div></div></div>
</blockquote></div></div></div>
</blockquote></div>