aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.55k stars 4.13k forks source link

zlib version in ARM distribution has security vulnerability #8818

Open njkwon-wavefin opened 3 months ago

njkwon-wavefin commented 3 months ago

Describe the issue

The Linux ARM/aarch64 version of AWS CLI v2 in 2.17.18 has zlib 1.2.7 in libz.so.1

zlib 1.2.8 has security vulnerability report on NIST and GitHub and 1.2.7 is also affected.

I am using Aqua scanner for security check and based on their report, the fixed version is 1.2.9 Do you have plan for updating zlib version 1.2.9 or above in libz.so.1?

Additional Information/Context

CVE-2016-9842 description : The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

version in the aarch64

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install

$ strings /usr/local/aws-cli/v2/2.17.18/dist/libz.so.1 | grep "1."
inflate 1.2.7 Copyright 1995-2012 Mark Adler

CLI version used

2.17.18

Environment details (OS name and version, etc.)

Linux ARM/aarch64

tim-finnigan commented 3 months ago

Thanks for reporting this issue. The zilb version used is a copy of zlib-1.2.7-18.el7.aarch64.rpm vended from Centos which has been patched. The team will work on getting the files updated but this version is currently required to fully support all aarch64 platforms we currently distribute for. Also please note that the AWS CLI was not originally susceptible to the CVE in question here.