fhoueto-amz
commented
1 month ago Hi Thanks for reporting this. We will get back to you. Which version are you using?
Closed anjugds closed 1 month ago
fhoueto-amz
commented
1 month ago Hi Thanks for reporting this. We will get back to you. Which version are you using?
anjugds
commented
1 month ago hi @fhoueto-amz and @michaelin-96, we are using version-v[6.1.1] - 2024-09-26.
Could you please fix this asap.
anjugds
commented
1 month ago hi @fhoueto-amz and @michaelin-96, we are using version-v[6.1.1] - 2024-09-26.
Could you please fix this asap.
fhoueto-amz
commented
1 month ago @anjugds we are not seeing the same thing on v6.1.1. To confirm the version you are using, view all vulnerabilities, click on the vulnerability title, then find the affected resource name and click on it, that should bring you to the lambda, then click on the configuration tab and then on tags. That will give you the cloudformation stack-id. Go to cloudformation and find that stack. When you click on the stack name, you should see the description field under the stack info tab. This will give you the version that has deployed that lambda in the format "(SO0189) QnABot with admin and client websites - Version v6.1.1". Can you share the version which has deployed the body-parser vulnerability and the async vulnerability under ESQIDLambda, ESCleaningLambda and ImportStep Lambda.
preethy-1
commented
1 month ago Hi,
Please find the screenshot from CloudFormation and CFN Lambda.
anjugds
commented
1 month ago @fhoueto-amz and @michaelin-96 Could you please help in this!
anjugds
commented
1 month ago We are working on client environment and its moving towards escalations as they all are High vulnerabilities. @fhoueto-amz @michaelin-96
fhoueto-amz
commented
1 month ago @anjugds , @preethy-1 I am confused. Your original post said that the body parser issue is solved in 1.20.3 but you were seeing an older version of body parser being used in QnABot v6.1.1. Quoting your original submission: body-parser-->body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3." The screenshot attached though is showing that the version of body-parser used is already 1.20.3. It seems that the lambdas being scanned are not from 6.1.1. I would suggest you do a clean deployment of the latest version of QnABot in a separate region/account and run the inspector on it to avoid potential interference with previous versions of the lambdas.
fhoueto-amz
commented
1 month ago @anjugds , @preethy-1 Any update from your side?
fhoueto-amz
commented
1 month ago Closing this. Please reopen if needed
Hi Team, We ran the cloud formation and enabled the AWS inspector. We got vulnerabilities that are very high. Attached is the screenshots. Also the description is given below. Could you please help us in fixing this. Also is it possible to include the fix for these high vulnerabilities in your next release.
body-parser-->body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
async-->In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Thanks Anju