smirnoal
commented
1 year ago base images have been updated to include the latest version of openssl-libs: openssl-libs-1.0.2k-24.amzn2.0.4
Closed awsitcloudpro closed 1 year ago
smirnoal
commented
1 year ago base images have been updated to include the latest version of openssl-libs: openssl-libs-1.0.2k-24.amzn2.0.4
ECR Clair scan on the latest lambda/nodejs:16 image found an OpenSSL vulnerability ALAS-2022-1831 with this description "Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-2068: A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the
c_rehashscript where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script."I am able to get rid of this finding by adding
yum update -yto my Dockerfile (Apparently other libraries like libcrypt, glibc have to be updated too - the finding did not go away by just addingyum update -y openssl). It will be good if the base image itself contains no known vulnerabilities, though.