How do I map a RHEL CVE fix to RHCOS and RHOCP?

Solution Verified - Updated 8 Apr 2025

Environment

Red Hat OpenShift Container Platform (RHOCP)
- 4

Issue

What is the process of mapping a RHEL CVE to the respective RHCOS / RHOCP version?
I see a CVE for a package in RHEL. How do I know if it is fixed in RHCOS/RHOCP?

Resolution

A CVE page of a RHEL package may not list Red Hat OpenShift Container Platform (RHOCP) as impacted. However, RHOCP may still be impacted indirectly by the CVE, if the impacted package is used by RHCOS or RHOCP.

Follow the process below to identify where is the fix in the RHEL package and then which RHCOS/RHOCP version contains the fixed package.

1. Get the fixed RPM version

Consider CVE: 2022-0778. In this CVE, a flaw has been found in the openssl package.
The openssl package is a part of RHEL and only an indirect part of RHOCP. Hence in the affected products we may NOT see RHOCP listed.
However, since RHOCP is based on RHCOS which is based on RHEL, indirectly, RHOCP too is affected by this vulnerability .
In such cases, the fix is always shipped via RHEL security advisories and not RHOCP advisories.
Take an example of OCP 4.8 for this CVE. How can we know which version of OCP 4.8 will have the fixed openssl package?
First of all, map the specific version of RHEL with the version of RHCOS / RHOCP in picture (in this case 4.8) using the knowledge base #6907891.
From the above knowledge base article, it is clear that RHOCP 4.8 is based on RHEL 8.4. Now, let's see what is the version of the fixed rpm in RHEL 8.4.
Checking again the openssl CVE page, the errata for RHEL 8.4 is shipped via: RHSA-2022:1071 and the fixed openssl package is: openssl-1.1.1g-16.el8_4.x86_64.

2. What is the RHOCP minor version that contains the fixed package

This section is based on the commands in KCS Obtaining package list for RHEL CoreOS or specific image . We will take the commands to find out which RHCOS image in RHOCP 4.8 contains the fixed openssl package.

As RHOCP cluster admin, check current RHOCP cluster version by running command:

 # oc version | grep -i server
Server Version: 4.8.35

This means that this is OpenShift 4.8 stream and 4.8.35 release.
Obtain the image sha256 digest for the machine-os-content container image where are stored details about corresponding RHCOS release:

 # oc adm release info 4.8.35 | grep machine-os-content
machine-os-content   sha256:8e3f03baa3a1f15cf2f1e45d75c0f124f05ce2e1f1fc2a90535b888bf7bf1412**

As RHOCP cluster admin, use cluster pull secret to check bundled RPM packages in OpenShift RHCOS cluster nodes by running following command.
Either SSH or debug any of the RHOCP node and check the installed openssl RPM package in the corresponding to OCP 4.8.35 RHCOS release based on the obtained in the above step sha digest.

# podman run --rm --authfile /var/lib/kubelet/config.json -it --entrypoint /bin/cat quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8e3f03baa3a1f15cf2f1e45d75c0f124f05ce2e1f1fc2a90535b888bf7bf1412 /pkglist.txt | grep openssl

In the output there will be a list of RPM packages related to openssl in the OCP 4.8.35 RHCOS. On that list there will be: openssl-1:1.1.1g-15.el8_3.x86_64.
You may compare this version to the checked RHEL patched version (from earlier steps) and confirm if the installed openssl package is vulnerable or not. In this example in OpenShift 4.8.35 there is still a vulnerable openssl package (openssl-1:1.1.1g-15.el8_3.x86_64 when the patched version is openssl-1.1.1g-16.el8_4.x86_64).
To check the newer OpenShift releases for 4.8 stream and find version with the fixed openssl package, you may repeat the above steps and verify other OpenShift release, like 4.8.36:

# oc adm release info 4.8.36  | grep machine-os-content
# podman run --rm --authfile .dockerconfigjson -it --entrypoint /bin/cat quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a768dca45d8eabd3495d8454c231a4e167cb1bf1372b7c387718efef781f814e /pkglist.txt | grep openssl

In the output if you see openssl-1.1.1g-16.el8_4.x86_64, this means that RHCOS used in OpenShift 4.8.36 already contains a patched version of the openssl package. However, it is possible that this version of OpenShift would not contain the fixed package, and it will be required to repeat the process to check additional later versions.
Above method will provide a complete list of packages. One single package can also be checked using:

# rpm -qa | grep -i <package-name>
# rpm -qa | grep -i openssl

For a list of all OpenShift releases and information, you might want to check the OpenShift documentation, in the Release Notes section, like for OpenShift 4.8 stream it would be: RHBA-2022:0872 - OpenShift Container Platform 4.8.35 bug fix and security update.

Product(s)

Components

RHCOS

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.