Container Image Vulnerabilities and CVE Reports

Describes how HPE Data Fabric Engineering provides software updates to address container image vulnerabilities.

HPE Data Fabric Engineering takes security very seriously and makes every effort to ensure that the container images for HPE Data Fabric software products are free of known vulnerabilities at the time of release. However, because new vulnerabilities are always being discovered and reported, it is likely that scanning product images with tools such as Trivy will show lists of CVEs that affect packages inside the images.

The HPE Data Fabric Engineering team also regularly scans product images to identify new vulnerabilities and creates action plans to modify the product images. Please note that most vulnerabilities are present in open-source software leveraged by HPE Data Fabric Engineering. Therefore, HPE Data Fabric Engineering determines when it is best to update products with updated open-source content.

HPE Data Fabric Engineering typically updates vulnerable packages from one minor software product version to the next (for example, from 1.3 to 1.4). For critical vulnerabilities, HPE may provide security-patched container images outside of the established software release cycle, in accordance with the following table.

To keep your platform as secure as possible, please ensure that you upgrade or patch your HPE Data Fabric Software to the latest available software.

Severity (CVSS Base Score Range) SLA of Response
Critical (9.0 – 10.0) HPE Data Fabric Engineering will prioritize and begin working on a fix. The team will make the fix available as soon as possible. This might take the form of a special maintenance release of an HPE Data Fabric software product for the sole purpose of making the fix available. If it is possible to deploy the fix as a patch more quickly or conveniently, the patch will also be made available. In the meantime, the support team will work with the community to mitigate the issue.
High (7.0 – 8.9) HPE Data Fabric Engineering will include a fix in the next planned release (major or minor) of the HPE Data Fabric software product. HPE Data Fabric software releases typically happen on a quarterly basis. The fix will be made available in patch form for customers who want to deploy it sooner, and the support team will assist with applying the patch.
Medium (4.0 – 6.9) HPE Data Fabric Engineering will include a fix in the next planned release (major or minor) of the HPE Data Fabric product.
Low (0.1 – 3.9 ) HPE Data Fabric Engineering will include a fix in the next major release of the HPE Data Fabric product, or the team will provide detailed steps that can be taken to mitigate the issue.