[scl.org] CVE Info of Red Hat Container images not correct (?)

[Stefan Bergstein]

Hello Sokratis,

thank you very much that you took the time for the explanation. It helped a
lot. I had a meeting with the customer yesterday.
It is still unclear why the RHEL8 repo is marked it as won't fix, but the
CVE was fixed in eap7.

The customer is going to open support case.

Thank you again,
  Stefan



On Thu, Sep 30, 2021 at 1:47 AM Sokratis Zappis <szappis at redhat.com> wrote:

> Hello Stefan,
>
> On Tue, Sep 28, 2021 at 1:13 PM Stefan Bergstein <
> stefan.bergstein at redhat.com> wrote:
>
>> Hello Sokratis, hi Software Collections team,
>>
>> I am writing to you because you are listed as maintainer of the Apache
>> HTTP 2.4 [Sokratis] and JBoss Web Server 5.5 (OpenJDK8) on UBI 8 [sclorg]
>> images.
>>
>> My customer Bosch raised a security issue about Red Hat Container images
>> in the Red Hat Container Catalog [1].
>> In short, software packages in Red Hat Container images are not updated
>> according CVE recommendations and/or do not contain the required CVE
>> information.
>>
>> Two examples from the customer's SRE team:
>>
>> *Apache HTTP 2.4.x *
>>
>> The CVE-2021-36160 [2] describes that Apache HTTP Server versions 2.4.30
>> to 2.4.48 are impacted.
>> The current Red Hat Apache HTTP 2.4 image [3] (1-156, latest, 7 day old)
>> contain httpd 2.4.37 and also does not indicate the CVE-2021-36160
>>
>>
>> *JBoss Web Server 5.5 (OpenJDK8) on UBI 8*
>>
>> The CVE-2021-29425 [4] describes that Apache Commons IO before 2.7 are
>> impacted. The current JBoss Web Server 5.5 (OpenJDK8) on UBI 8 image [5]
>> (1.0-51627017160 latest, 2 month old) still contains Apache-commons-io 2.6
>> also does not indicate the CVE-2021-29425.
>>
>> The customer's SRE team must respond to the Bosch CERT Advisory and is
>> requesting the following information:
>>
>>    1. In both examples, are the CVE not fixed yet?
>>
>> That is partly right. If you check
> https://access.redhat.com/security/cve/CVE-2021-36160 you will see that
> no erratum is attached in the relevant column for any platform, which means
> that no RHSA has been released yet containing an rpm that addresses this
> CVE. For the second CVE
> https://access.redhat.com/security/cve/CVE-2021-29425 , you will see that
> the the RHEL8 and Software collections have marked it as won't fix, so
> again you cannot expect an updated RPM from those channels coming to
> address it. In the case of the JWS containers which I'm responsible for, we
> as a product are responsible to address CVEs in the scope of our own
> product (JWS), all the rest of the packages that are in the container are
> inherited/brought by the software collections and the RHEL8 repos.
>
>>
>>    1. CVE-2021-36160 is moderate [6], but the Red Hat Container Catalog
>>    does not show any information. Is there any reason?
>>
>> Since no erratum exists which releases an rpm that fixes certain CVE(s)
> for a package (httpd in this instance), the relevant containers which
> consume this package do not show up as affected, even though the package
> itself might be affected. The containers only appear affected to CVEs, if
> RHSAs containing RPMs which fix those CVEs have already been released, and
> the container images have not yet consumed them to have the latest
> available RPM packages installed.
>
>>
>>    1. CVE-2021-29425 seems to be fixed for Red Hat JBoss Enterprise
>>    Application Platform 7.4 for RHEL 8 but not for the JBoss Web Server 5.5
>>    (OpenJDK8) on UBI 8 image, but the Red Hat Container Catalog does not show
>>    any information. Is there any reason?
>>
>> If you check the relevant errata columns in
> https://access.redhat.com/security/cve/CVE-2021-29425, you will see that
> EAP has provided a fix on the following RHSA
> <https://access.redhat.com/errata/RHSA-2021:3658>, with the updated
> package being *eap7-apache-commons-io-2.10.0-1.redhat_00001.1.el8eap.noarch.rpm
> . *If you check the rpm contents of the container images though, you will
> notice that this package is not installed in the container image, this is
> why the CVE does not show up in the container catalog. You can check the
> installed packages of JWS and EAP in the following links: JWS 5.5
> (OpenJDK8) on UBI 8
> <https://catalog.redhat.com/software/containers/jboss-webserver-5/webserver55-openjdk8-tomcat9-openshift-rhel8/603fac47dbb14c0b8248b380?container-tabs=packages>
> and JBoss EAP 7.4 with OpenJDK11
> <https://catalog.redhat.com/software/containers/jboss-eap-7/eap74-openjdk11-openshift-rhel8/6054ceca93acb006e7349a98?container-tabs=packages>
> . For JWS, we inherit the apache-commons package in our container image
> from the RHEL8 repo which has marked it as won't fix, hence no RHSA present
> there, so the container doesn't show as affected. My guess is that the same
> stands for the EAP container as well, but I'm adding @Ken Wills
> <kwills at redhat.com> who is responsible for the EAP containers to the
> thread to comment if needed.
>
> Please let me also when I misinterpreted the CVE data on the Red Hat
>> Container Catalog.
>>
>
> The bottom line is that for the containers' world, what we care about is
> the health index, which is calculated against the RPM contents of the
> container, and is affected only by Critical and Important CVEs as you can
> see here <https://access.redhat.com/articles/2803031> .
>
> Cheers,
> Sokratis
>
>
>> Thank you,
>>   Stefan
>>
>>
>> [1] https://catalog.redhat.com/software/containers/search
>> [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160
>> [3]
>> https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security
>> [4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
>> [5]
>> https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security
>> [6] https://access.redhat.com/security/cve/CVE-2021-36160
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/sclorg/attachments/20211001/5c94aaa8/attachment.htm>