search

aws / aws-lambda-base-images

Apache License 2.0
683 stars 111 forks source link

Several security vulnerabilities in Python 3 base image #73

Open awsitcloudpro opened 1 year ago

awsitcloudpro commented 1 year ago

ECR Clair scan of a Lambda docker image based on public.ecr.aws/lambda/python:3 shows the following vulnerabilities, all apparently in base AL2 image:

Name Package Severity Description
ALAS2-2022-1885 expat:2.1.0-15.amzn2.0.1 HIGH Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-43680: In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
ALAS2-2022-1882 curl:7.79.1-6.amzn2.0.1 MEDIUM Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-42916: A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. CVE-2022-42915: A vulnerability was found in curl. The issue occurs if curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL. It sets up the connection to the remote server by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could trigger a double-free issue in curl if using one of the following schemes in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, telnet. CVE-2022-35260: A vulnerability was found in curl. The issue occurs when curl is told to parse a .netrc file for credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl could read past the end of the stack-based buffer, and if the read works, it can write a zero byte beyond its boundary. This issue, in most cases, causes a segfault or similar problem. A denial of service can occur if a malicious user can provide a custom netrc file to an application or otherwise affect its contents. CVE-2022-32221: A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set if it previously used the same handle to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request.
ALAS2-2022-1901 libblkid:2.30.2-2.amzn2.0.9 MEDIUM Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-0563: A flaw was found in the Linux kernel's util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation.
ALAS2-2022-1884 libcom_err:1.42.9-19.amzn2 MEDIUM Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-1304: An out-of-bounds read/write vulnerability was found in e2fsprogs. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.
ALAS2-2022-1882 libcurl:7.79.1-6.amzn2.0.1 MEDIUM Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-42916: A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. CVE-2022-42915: A vulnerability was found in curl. The issue occurs if curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL. It sets up the connection to the remote server by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could trigger a double-free issue in curl if using one of the following schemes in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, telnet. CVE-2022-35260: A vulnerability was found in curl. The issue occurs when curl is told to parse a .netrc file for credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl could read past the end of the stack-based buffer, and if the read works, it can write a zero byte beyond its boundary. This issue, in most cases, causes a segfault or similar problem. A denial of service can occur if a malicious user can provide a custom netrc file to an application or otherwise affect its contents. CVE-2022-32221: A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set if it previously used the same handle to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request.
ALAS2-2022-1901 libmount:2.30.2-2.amzn2.0.9 MEDIUM Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-0563: A flaw was found in the Linux kernel's util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation.
ALAS2-2022-1901 libuuid:2.30.2-2.amzn2.0.9 MEDIUM Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-0563: A flaw was found in the Linux kernel's util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation.
ALAS2-2022-1893 ncurses:6.0-8.20170212.amzn2.1.3 MEDIUM Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-29458: A segmentation fault vulnerability was found in ncurses's convert_strings() function of tinfo/read_entry.c file. This flaw occurs due to corrupted terminfo data, triggering an out-of-bounds read error. CVE-2021-39537: The ncurses package (tic) is susceptible to a heap overflow on crafted input. When the terminfo entry-description compiler processes input, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is system availability.
ALAS2-2022-1893 ncurses-base:6.0-8.20170212.amzn2.1.3 MEDIUM Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-29458: A segmentation fault vulnerability was found in ncurses's convert_strings() function of tinfo/read_entry.c file. This flaw occurs due to corrupted terminfo data, triggering an out-of-bounds read error. CVE-2021-39537: The ncurses package (tic) is susceptible to a heap overflow on crafted input. When the terminfo entry-description compiler processes input, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is system availability.
ALAS2-2022-1893 ncurses-libs:6.0-8.20170212.amzn2.1.3 MEDIUM Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2022-29458: A segmentation fault vulnerability was found in ncurses's convert_strings() function of tinfo/read_entry.c file. This flaw occurs due to corrupted terminfo data, triggering an out-of-bounds read error. CVE-2021-39537: The ncurses package (tic) is susceptible to a heap overflow on crafted input. When the terminfo entry-description compiler processes input, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is system availability.
zen commented 1 year ago

Even internal AWS ECR scan shows the same. This should be fixed ASAP.