ECR Clair scan on the latest lambda/nodejs:16 image found an OpenSSL vulnerability ALAS-2022-1831 with this description "Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-2068: A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the c_rehash script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script."
I am able to get rid of this finding by adding yum update -y to my Dockerfile (Apparently other libraries like libcrypt, glibc have to be updated too - the finding did not go away by just adding yum update -y openssl). It will be good if the base image itself contains no known vulnerabilities, though.
ECR Clair scan on the latest lambda/nodejs:16 image found an OpenSSL vulnerability ALAS-2022-1831 with this description "Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-2068: A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the
c_rehash
script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script."I am able to get rid of this finding by adding
yum update -y
to my Dockerfile (Apparently other libraries like libcrypt, glibc have to be updated too - the finding did not go away by just addingyum update -y openssl
). It will be good if the base image itself contains no known vulnerabilities, though.