Red Hat Customer Portal lists CVE-2021-27219 as having a 9.8 out of 10 RedHat CVSS score, that it was published February 4, 2021, more than 3 months ago and that it affects RHEL 8, the newest version.
Is there really no fix for it out yet?
If I read the above link correctly, the issue affects RHEL 6, 7 and 8 but no fix exists yet. (As opposed to e.g. CVE-2021-3326 where a fix was released yesterday).
At the same time, Red Hat’s ubi8/ubi-minimal docker image, updated today shows:
Health Index “A”(green) (This image does not have any unapplied Critical or Important security updates.)
When I upload that image to our Harbor Registry, it scans the image and lists it as having CVE-2021-27219 unfixed. Digging into RedHat’s own data, it looks like I have to agree with Harbor.
But then I find it highly misleading for RedHat to list the image as having: Health Index “A”. Sure there is no unapplied fix, because the fix doesn’t exist yet, but how can an image be healthy with a 9.8 score unfixed security issue for 3 months?
What am I misunderstanding?
(Also, how can there not be a tag for RedHat or RPM?)