RHBA-2025:3728 - Bug Fix Advisory

Topic

OpenShift Compliance Operator 1.7.0 is now available for the Red
Hat OpenShift Enterprise 4 catalog, which includes various bug
fixes and enhancements.

Description

The OpenShift Compliance Operator 1.7.0 is now available. See the
documentation for bug fix information:

https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/security_and_compliance/compliance-operator#compliance-operator-release-notes

Solution

Before applying this update, make sure all previously released
errata relevant to your system have been applied. For details on how
to apply this update, refer to:

https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/updating_clusters/performing-a-cluster-update#updating-cluster-cli

Affected Products

• Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64

Fixes

• OCPBUGS-10336 - Need to include in documentation the way to collect a must-gather for compliance.
• OCPBUGS-33194 - Few File structure looks different when enabling these rules in s390x
• OCPBUGS-42350 - The instructions for rule ocp4-etcd-unique-ca doesn?t work for 4.17 and higher ocp releases
• OCPBUGS-43229 - Compliance Operator rules for checking logging breaks with CLO 6.0
• OCPBUGS-43585 - Allow access to clusterlogforwarder in observability API
• OCPBUGS-48090 - Outdated URL to Compliance Operator documentation
• OCPBUGS-51267 - ComplianceScan Controller has reconcile error
• OCPBUGS-52884 - Rule file-integrity-exists fails on ARM64 clusters
• OCPBUGS-52885 - Rule file-integrity-notification-enabled fails on ARM64 clusters
• OCPBUGS-54212 - Rule kubelet-configure-tls-cipher-suites fails with new ciphers from RFC 8446
• OCPBUGS-54403 - The platform scan fails due to ?failed to parse Ignition config?
• OCPBUGS-54605 - Remediation for directory-access-var-log-audit doesn't appear to be working
• OCPBUGS-53041 - Several OCP rules are not multi-platform aware
• CMP-2956 - CIS OpenShift 1.7.0 Benchmark Support
• CMP-2960 - Compliance Operator support on ARM (CIS OCP 1.7.0 and FedRAMP Moderate Revision 4)
• CMP-3114 - Implement support for Compliance Operator on ARM architecture
• CMP-3134 - Update DISA STIG profile
• CMP-3142 - Implement DISA STIG V2R2 for OpenShift and RHCOS
• CMP-3149 - Implement a deprecation mechanism for profiles
• OCPBUGS-55140 - All rhcos profiles return NOT-APPLICABLE for 4.19
• OCPBUGS-55180 - Rule file-groupowner-ovs-conf-db-hugetlbf fails unexpected
• OCPBUGS-55181 - Rules do not contain NERC-CIP profile annotations

CVEs

• CVE-2019-12900
• CVE-2020-11023
• CVE-2021-43618
• CVE-2021-46848
• CVE-2022-1271
• CVE-2022-36227
• CVE-2022-47629
• CVE-2022-48554
• CVE-2022-49043
• CVE-2023-2602
• CVE-2023-2603
• CVE-2023-7104
• CVE-2023-29491
• CVE-2023-37920
• CVE-2024-2236
• CVE-2024-3596
• CVE-2024-5535
• CVE-2024-8176
• CVE-2024-28182
• CVE-2024-28834
• CVE-2024-28835
• CVE-2024-34397
• CVE-2024-55549
• CVE-2024-56171
• CVE-2025-24928

References

(none)