[scl.org] CVE Info of Red Hat Container images not correct (?)

Stefan Bergstein stefan.bergstein at redhat.com
Tue Sep 28 10:12:55 UTC 2021


Hello Sokratis, hi Software Collections team,

I am writing to you because you are listed as maintainer of the Apache HTTP
2.4 [Sokratis] and JBoss Web Server 5.5 (OpenJDK8) on UBI 8 [sclorg] images.

My customer Bosch raised a security issue about Red Hat Container images in
the Red Hat Container Catalog [1].
In short, software packages in Red Hat Container images are not updated
according CVE recommendations and/or do not contain the required CVE
information.

Two examples from the customer's SRE team:

*Apache HTTP 2.4.x *

The CVE-2021-36160 [2] describes that Apache HTTP Server versions 2.4.30 to
2.4.48 are impacted.
The current Red Hat Apache HTTP 2.4 image [3] (1-156, latest, 7 day old)
contain httpd 2.4.37 and also does not indicate the CVE-2021-36160


*JBoss Web Server 5.5 (OpenJDK8) on UBI 8*

The CVE-2021-29425 [4] describes that Apache Commons IO before 2.7 are
impacted. The current JBoss Web Server 5.5 (OpenJDK8) on UBI 8 image [5]
(1.0-51627017160 latest, 2 month old) still contains Apache-commons-io 2.6
also does not indicate the CVE-2021-29425.

The customer's SRE team must respond to the Bosch CERT Advisory and is
requesting the following information:

   1. In both examples, are the CVE not fixed yet?
   2. CVE-2021-36160 is moderate [6], but the Red Hat Container Catalog
   does not show any information. Is there any reason?
   3. CVE-2021-29425 seems to be fixed for Red Hat JBoss Enterprise
   Application Platform 7.4 for RHEL 8 but not for the JBoss Web Server 5.5
   (OpenJDK8) on UBI 8 image, but the Red Hat Container Catalog does not show
   any information. Is there any reason?

Please let me also when I misinterpreted the CVE data on the Red Hat
Container Catalog.

Thank you,
  Stefan


[1] https://catalog.redhat.com/software/containers/search
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160
[3]
https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
[5]
https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security
[6] https://access.redhat.com/security/cve/CVE-2021-36160
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/sclorg/attachments/20210928/c8b035fd/attachment.htm>


More information about the SCLorg mailing list