- Issued:
- 2025-12-15
- Updated:
- 2025-12-15
RHSA-2025:23203 - Security Advisory
Synopsis
Important: Red Hat OpenShift GitOps v1.18.2 security update
Type/Severity
Security Advisory: Important
Topic
Important: Red Hat OpenShift GitOps v1.18.2 security update
Description
An update is now available for Red Hat OpenShift GitOps.
Bug Fix(es) and Enhancement(s):
- GITOPS-7608 (Redis HA pods are taking longer than expected to come up)
- GITOPS-7789 (Version override in ArgoCD CR causes operator to use upstream images)
- GITOPS-7798 (Progress Sync Unknown in UI (cherry-pick #24202 for 3.1))
- GITOPS-7844 (GitOpsService controller creates default ArgoCD with v1alpha1 api version)
- GITOPS-8019 (CVE-2025-49844 - Vulnerability with Redis)
- GITOPS-8033 (openshift-gitops-redis-ha-haproxy deployment fails to rollout with 3 worker nodes)
- GITOPS-8067 (1.18.z - Hide Dev Preview Badge in GitOps Operator's Operand tabs)
- GITOPS-8142 (CVE-2024-45337 reported by RHACS for OpenShift GitOps Operator v1.18.1 (ArgoCD-based) due to outdated git-lfs binary, dependency update required to remove false positive.)
- GITOPS-8152 (ArgoCD CR Reconciliation fails if spec.applicationSet.webhookServer.route.enabled is set to true)
- *Post-Upgrade Action Required: Audit GitOps Operator Roles**
Following this upgrade, we strongly recommend you run the provided audit script to review namespace-scoped access.
- The script identifies Roles/RoleBindings that grant cross-namespace access for the GitOps operator's features (created via .spec.sourceNamespaces).
- Run it to verify and confirm that only the intended namespaces have cross-namespace access to deploy applications.
For more details, refer to :
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
Fixes
- https://issues.redhat.com/browse/GITOPS-7608
- https://issues.redhat.com/browse/GITOPS-7789
- https://issues.redhat.com/browse/GITOPS-7798
- https://issues.redhat.com/browse/GITOPS-7844
- https://issues.redhat.com/browse/GITOPS-8019
- https://issues.redhat.com/browse/GITOPS-8033
- https://issues.redhat.com/browse/GITOPS-8142
- https://issues.redhat.com/browse/GITOPS-8152
amd64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:217cfb3efa9a3514fec28db7c812c723c0d490b2653920f690e89bec64bb8a17 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:a6cc862075088ed8fa87795ec7f04f232758f7ac198659edf1f2e31218380cf9 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:8a904ab9ff98789f9a7d1ccb93f1d5696ec60386240655963fe9268922924ef6 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:aa1f6651fe44e8954ec4ff9e54e30cd1567a79f264f1ac2655190aa3507c2600 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:4620ae80d5890bcb11b2ca68e0dbfe5a0ab40f86a24bbad83bba0391309131b1 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:c5a08b7d120931634b936e68f443fbe4514856c54c862c6997d745610d4bf972 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:921b4cf740762622bbb48ffed32fa97e8bb4d835b892d6a5dfcba4369cae544f |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:abf1a5df77bd393d1503748193949167598ed3e70b665e91405ffca05b5c93c1 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:7f6e588459ff59366a9f8f8f32a784806af11931f8584e46e1d53472a2e010a9 |
| registry.redhat.io/openshift-gitops-1/gitops-operator-bundle@sha256:b4d6b30d562e1cacbb1ca461e8c14b95c0d42be1baf876599c446669f2584feb |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:26f0eec0b11eb4a962f7b70a71a91a85b9be0c5aa42f289ce5461d29fb5e5667 |
arm64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:2d7214b91d8954376fa3739b5d0a856f0124a62e2cd135bbe0a2fd741efed1a9 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:3759356a7e66dc3ded63c8df2fdaaa425621ea26aebb4ecbdab38398b1b8287e |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:421639cedef9b144be97d27d1fdfa46d7fe9f01611a9625656868ca7a4d5ce11 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:453961c36353116685d096503997af51b5551327e58060142c6cc8e519593179 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:1ce4994bf13f82da293b7fe2829302951f812cc09139434dc06e492e0f8e5cb8 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:9f1f1898a1af86a86b754e43a5a3079a6d8e1fbfd3073080d35e6a8d218a00af |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:b7ca78bf9690524383e4d68f06a0a48f79f9bd171c4d7ebf7ceba79fc239217f |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:d95248223d597f869bcc55badb7b363b1d7dd6069b0fee1f630d03ba1a7c5693 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:3eb6308c58365182b4b5b5aabf35754d821e25b8a04b0595900fb47d52cd3ecc |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:3191b98bc850c708f4ba1114a784a9e50ef44a3d91546d728c90a401757f2255 |
ppc64le
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:fbdcd572a787c37403839d12ec627f371731b55bf665558e9621dbc6951e2df1 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:2c803534984353a1fffb3cb6dc1cc060bb49a777eff5d29ab73e886aa9c7ad9e |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:ee50a4291ea3401f1c4739b554b100815c51191f8bfbee60cccfc7df7830c8aa |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:36846a0a80043b3047d361b3114c65e7dd8bcedf7f296f8d58b872b0f34c2aa8 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:cae46a1af7b4e0a13a66af872fd656c204518346ef98ae8c9d6f3294835d3ff7 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:d88efca7559feab0c82f074424dd80a43119ecb4a7d23d70ee17209268b125cc |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:3856ceed1bf6b88c09795ca077d14a73ef4b2a4383a84055e8fe56185219b7d0 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5aa0395f8654f9007f726779cbbf76a7855e8b4882bdd0b5fc9c850aa12b698b |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:5df1b2770060850ad5abbdfe384ce5f3232c73d50b3ea2110e437eae46093e27 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:44ccb3825181abbce53616c081b476ee18cfec60947da234b4a8c88587ae9493 |
s390x
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:87a36dcde955efb54ab113d5696d2eed8d6f0f34dad48303abd2fbb00b5d0265 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:63a009eef474539e273c2aedbd50cdb160bcff8ef6ece067a5d9a492b17c7e42 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:7adcbe9c60d6a10435ae86fe475241148621b9375866125cc35a9ad889886b38 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:012098b3e2a9d10ad6b10bbfe8c79d60202b514395b7ee1f63586c6ebd399e34 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:59655061ef913aba1fef47291bc95ebd598812f4cf9dbd165023ae6e4cd2460a |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:971658bc181b91230bd0f0b276f85a23f805f08453cebe759b3ac37adca97cae |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:c2a3ff3f39e40893d8e1205acffe05cfcfa89e3dd8407d4ca06600de4893f5b9 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:3cb7efbe816489b5eb6cda04af94a5b4943ab5a05d5e6bded8ced857fd40bee2 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:1e382dc8429f5224c1e353f08d99af1be092d960b0d9f98db495aeee314ff510 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:c6fa8f9c0fdf95f13ac53cf5d729a4e1a03d7a038bfd7c5aa27cdddca407cc43 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
