Operator Docker Image contains vulnerabilities

[marcomancuso]

Bug Report

What did you do?
Scanning the Docker image with Clair Scan I receive High Vulnerabilities

What did you expect to see?
No Vulnerabilities

What did you see instead? Under which circumstances?

[  
   {  
      "cve_link":"https://access.redhat.com/errata/RHSA-2019:0679",
      "installed_version":"1.4.3-12.el7",
      "cve_severity_nr":4,
      "cve_fixed_version":"0:1.4.3-12.el7_6.2",
      "cve_desc":"The libssh2 packages provide a library that implements the SSH2 protocol. Security Fix(es): * libssh2: Integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) * libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) * libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) * libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes (CVE-2019-3863) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
      "cve_name":"RHSA-2019:0679",
      "namespace_name":"centos:7",
      "package_name":"libssh2",
      "cve_severity":"High"
   },
   {  
      "cve_link":"https://access.redhat.com/errata/RHSA-2019:0483",
      "installed_version":"1:1.0.2k-16.el7",
      "cve_severity_nr":3,
      "cve_fixed_version":"1:1.0.2k-16.el7_6.1",
      "cve_desc":"OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Perform the RSA signature self-tests with SHA-256 (BZ#1673914)",
      "cve_name":"RHSA-2019:0483",
      "namespace_name":"centos:7",
      "package_name":"openssl-libs",
      "cve_severity":"Medium"
   }
]

Environment

• operator-sdk version:

operator-sdk version v0.5.0+git

Additional context
Dockerfile base image:

FROM registry.access.redhat.com/ubi7-dev-preview/ubi-minimal:7.6

[hasbro17]

@marcomancuso Thanks for reporting this. We're following up on this with the folks responsible for maintaining the RHEL universal base image and will hopefully have an update on this soon.

[wiardvanrij]

Is there an easy way to pick an other base image until this is resolved? Ea; what are the requirements? Thank you.

edit: I "fixed" it by changing the image to:

FROM registry.access.redhat.com/ubi8-dev-preview/ubi-minimal:8.0