IBM - Cloud, PowerVS and Ceph aaS - Structured Ideas

This portal is to open public enhancement requests. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

Add a new idea Subscribe
Status Submitted
Workspace CephaaS
Categories OpenShift usage
Created by Guest
Created on Jul 19, 2025

RELATED IDEAS

Secure and updated container images in the IBM Z OSS Hub (and in general also usable for the IBM Container Registry)

I have created the following request via HackerONE, that many provided container images based on Linux distributions have got "End of Life" and based on that they are vulnerable based on missing updates: https://hackerone.com/bugs?subject=user&report_id=3234370&view=open&substates%5B%5D=new&substates%5B%5D=needs-more-info&substates%5B%5D=pending-program-review&substates%5B%5D=triaged&substates%5B%5D=retesting&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1

 

It has been rejected with the reason, that scanners have got often the result of False-Positives...

Do you want to provide container images without any possible security updates for your customers? Therefore, I add that as an idea of improvement via ideas.ibm.com with the rejected hint on HackerONE as a link.

I provide also best practices, how to update them in the future automatically in the IBM Z OSS Hub and in the IBM Container Registry:

Detailed Description: 

All provided containerized Linux distributions for IBM Z have got End of Life. Based on this fact, these container images don't receive any updates any more and are "high" vulnerable.
Alpine 3.18 had End of Life 9th May 2025. Fedora Linux 40 had End of Life 13th May 2025. Ubuntu 24.10 has got End of Life July 2025.

ALL VERSIONS under that are affected. You are providing Alpine '3.12, 3.13.12, 3.14.9, 3.15.7, 3.16.4, 3.17.2', Fedora Linux '32, 34, 35' and Ubuntu '18.04, 20.04, 22.04, jammy, noble'. All provided container images are vulnerable.

Steps To Reproduce: (add details for how we can reproduce the issue)

  1. Open https://ibm.github.io/ibm-z-oss-hub/containers/index.html
  2. Compare the Linux distributions with supported versions
  3. Use "docker run" on s390x with these container images
  4. All are vulnerable based on missing support and updates

Supporting Material/References: Supported container images by providers: Fedora, AlmaLinux, RHEL and CentOS Stream: https://osbuild.org/docs/user-guide/image-descriptions/ or quay.io Ubuntu: https://wiki.ubuntu.com/S390X

How to create automated updates: The easiest way to get latest container images updated automatically is Skopeo.

Idea priority Urgent
Needed By Yesterday (Let's go already!)
  • Guest
    Jul 19, 2025

    You should update all container images automatically. These Linux distributions with End of Life are only examples, where you can identify the vulnerabilities only with an eye on the version.

    Reply

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.