Fix Readme
Abstract
The test fix for issue CVE-2022-42889 consists of 2 updated images (v3-policy-processor and noi-alert-trigger-service) and exists in the IBM Entitled Registry.
Content
This test fix applies to NOI 1.6.8
To patch an existing Netcool Operations Insight instance:
(1)
Create backup of CustomResource:
• Go to the Red Hat OpenShift console (with admin privilege) and from the sidebar menu, navigate to Operators->Installed Operators and look for ‘IBM Cloud Pak for Watson AIOps Event Manager’. The ‘Details’ tab shows different CustomResourceDefinition in the ‘Provided APIs’ section.
• Click on ‘All Instances’ tab to show list of instances (typically a single instance is shown). The ‘Name’ column shows the instance name and the ‘Kind’ column shows the CustomResource Kind
• Click on the instance link and then the YAML tab. Copy the entire YAML content to a file as backup.
Note:
• The instance name is required for step (3)
• CustomResource (created from CustomResourceDefinition) has singular and plural name. For example, the CustomResource ‘NOIHybrid’ has the singular name ‘noihybrid’ while its plural name is ‘noihybrids’.
• The CustomResource Kind lowercase value is required for step (3)
(2)
Airgap install only, otherwise skip to Step (3).
• Create an images.csv file with the following images only.
registry,image_name,tag,digest,mtype,os,arch,variant,insecure,digest_source,image_type,groups
cp.icr.io,cp/noi/v3-policy-processor,0.5.49-HF-CVE-2022-42889,sha256:abf3fbd4068765bb84b19d3d03261ab5d09f1fc52225c52e79d909d0e4dbc039,IMAGE,linux,amd64,"",0,CASE,"",""
cp.icr.io,cp/noi/noi-alert-trigger-service,18.0.36-HF-CVE-2022-42889,sha256:c070992c2617d98985bb2cae63509c4854c505c652c64b66d11f50d6bf84eaf9,IMAGE,linux,amd64,"",0,CASE,"",""
patch.yaml
.
spec:
helmValuesNOI:
ibm-hdm-analytics-dev.postinsertprocessor.image.digest: sha256:abf3fbd4068765bb84b19d3d03261ab5d09f1fc52225c52e79d909d0e4dbc039
ibm-hdm-analytics-dev.postinsertprocessor.image.name: cp/noi/v3-policy-processor
ibm-hdm-analytics-dev.postinsertprocessor.image.tag: 0.5.49-HF-CVE-2022-42889
alerttriggerservice.image.digest: sha256:c070992c2617d98985bb2cae63509c4854c505c652c64b66d11f50d6bf84eaf9
alerttriggerservice.image.name: cp/noi/noi-alert-trigger-service
alerttriggerservice.image.tag: 18.0.36-HF-CVE-2022-42889
NAMESPACE
and NAME
are the namespace and name of the Netcool Operations Insight instance.
oc patch <SINGULAR NAME OF CR> -n <NAMESPACE> <INSTANCE NAME OF CR> --type=merge --patch-file <PATCH FILE>
where:
<SINGULAR NAME OF CR>
: Refer to Step (1).
<NAMESPACE>
: The namespace used by the operator/project e.g. 'noi-on-ocp'
<INSTANCE NAME OF CR>
: The name of the Operands (instance of CustomResource). Refer to Step (1).
e.g.
oc patch noihybrid -n noi-on-ocp hybrid-424 --type=merge --patch-file patch.yaml
(5)
After 30 to 60 seconds, check that the ibm-hdm-analytics-dev-v3-evt-pi-processor and alert-trigger-service-alerttriggerservice pods were restarted and the old ones terminated.
oc get pods | grep alert-trigger-service-alerttriggerservice oc get pods | grep ibm-hdm-analytics-dev-v3-evt-pi-processor
To verify whether the patch is successfully applied, run the following command:
oc describe <pod name> | grep <sha256 digest>
where: <pod name>
is the name of the observer pod after restarted
<sha256 digest>
is the SHA256 digest in the content of ‘patch.yml’ in step (2)
e.g.
oc describe pod noi-7990-alert-trigger-service-alerttriggerservice-bb8b9bb45-8qfk6 | grep sha256:c070992c2617d98985bb2cae63509c4854c505c652c64b66d11f50d6bf84eaf9
The output of the command displays lines similar to the following:
...
...
Image: cp.icr.io/cp/noi/noi-alert-trigger-service@sha256:c070992c2617d98985bb2cae63509c4854c505c652c64b66d11f50d6bf84eaf9
...
...
Rollback
To rollback the test fix, edit the CR by running the command:
oc edit <SINGULAR NAME OF CR>
e.g.
oc edit noihybrid
This opens the YAML configuration of the CR. Look for the ‘helmValuesNOI’ properties under ‘spec’ section and remove the following from the YAML configuration:
spec:
helmValuesNOI:
ibm-hdm-analytics-dev.postinsertprocessor.image.digest: sha256:abf3fbd4068765bb84b19d3d03261ab5d09f1fc52225c52e79d909d0e4dbc039
ibm-hdm-analytics-dev.postinsertprocessor.image.name: cp/noi/v3-policy-processor
ibm-hdm-analytics-dev.postinsertprocessor.image.tag: 0.5.49-HF-CVE-2022-42889
alerttriggerservice.image.digest: sha256:c070992c2617d98985bb2cae63509c4854c505c652c64b66d11f50d6bf84eaf9
alerttriggerservice.image.name: cp/noi/noi-alert-trigger-service
alerttriggerservice.image.tag: 18.0.36-HF-CVE-2022-42889
Save the YAML configuration and the pod will restart. Use Step (4) to check for pod restarts.
To include the patch in a new Netcool Operations Insight instance
The following properties can be included in the spec.helmValuesNOI
property of a new Netcool Operations Insight instance.
ibm-hdm-analytics-dev.postinsertprocessor.image.digest: sha256:abf3fbd4068765bb84b19d3d03261ab5d09f1fc52225c52e79d909d0e4dbc039
ibm-hdm-analytics-dev.postinsertprocessor.image.name: cp/noi/v3-policy-processor
ibm-hdm-analytics-dev.postinsertprocessor.image.tag: 0.5.49-HF-CVE-2022-42889
alerttriggerservice.image.digest: sha256:c070992c2617d98985bb2cae63509c4854c505c652c64b66d11f50d6bf84eaf9
alerttriggerservice.image.name: cp/noi/noi-alert-trigger-service
alerttriggerservice.image.tag: 18.0.36-HF-CVE-2022-42889
Future releases
This hot-fix will be included in NOI 1.6.9 GA onwards
Was this topic helpful?
Document Information
Modified date:
23 May 2023
UID
ibm16997113