Hello!
As part of our ongoing to ensure the security of our products, one or more vulnerabilties requiring redmediation have been identified.
The following vulnerabilities were scanned and found by using ECR. ECR scans are used in conjunction with Prisma scans to ensure we meet a high standard for software security.
We have suggestions on tooling to help improve the remediation process, following the vulnerability table below.
Note that we disregard the severity levels assigned by various tools and operate soley on CVSS to severity mapping in line with NIST guidelines.
cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c.
grep: (standard input): binary file matches
| CVE-2023-52425 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | expat:2.5.0 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case o[...] |
| CVE-2023-6246 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | glibc:2.36 | A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the s[...] |
| CVE-2023-6569 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | h2o:3.44.0.3 | External Control of File Name or Path in h2oai/h2o-3 |
| CVE-2023-6779 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | glibc:2.36 | An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is cal[...] |
| CVE-2024-0553 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | gnutls28:3.7.9 | A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the re[...] |
| CVE-2024-0565 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | linux:6.1.55 | An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-compo[...] |
| CVE-2024-0567 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | gnutls28:3.7.9 | A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. Thi[...] |
| CVE-2024-0985 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | postgresql-15:15.5 | Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL fu[...] |
| CVE-2024-21634 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | software.amazon.ion:ion-java:1.0.2 | Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exist[...] |
To resolve this, we recommend the following approach:
Scan the current version of the image using a command like trivy image --scanners vuln --severity CRITICAL,HIGH --timeout 60m [...image address...]
Validate that the CVEs are detected using trivy. The provided scans were taken using a different scanner (ECR), so the first step should be to validate that trivy can see them as well.
Iterate to resolve the vulnerabilities. trivy enables you to scan the image without pushing them, so it should help in finding the resolution
Test and publish the fix version, and let us know where we can find the fixed image(s) so we can validate the fixes on our side as well.
Hello! As part of our ongoing to ensure the security of our products, one or more vulnerabilties requiring redmediation have been identified.
The following vulnerabilities were scanned and found by using ECR. ECR scans are used in conjunction with Prisma scans to ensure we meet a high standard for software security. We have suggestions on tooling to help improve the remediation process, following the vulnerability table below. Note that we disregard the severity levels assigned by various tools and operate soley on CVSS to severity mapping in line with NIST guidelines.
grep: (standard input): binary file matches | CVE-2023-52425 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | expat:2.5.0 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case o[...] | | CVE-2023-6246 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | glibc:2.36 | A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the s[...] | | CVE-2023-6569 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | h2o:3.44.0.3 | External Control of File Name or Path in h2oai/h2o-3 | | CVE-2023-6779 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | glibc:2.36 | An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is cal[...] | | CVE-2024-0553 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | gnutls28:3.7.9 | A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the re[...] | | CVE-2024-0565 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | linux:6.1.55 | An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-compo[...] | | CVE-2024-0567 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | gnutls28:3.7.9 | A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. Thi[...] | | CVE-2024-0985 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | postgresql-15:15.5 | Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL fu[...] | | CVE-2024-21634 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/tour:1.0.0 | software.amazon.ion:ion-java:1.0.2 | Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exist[...] |
To resolve this, we recommend the following approach:
trivy
(https://aquasecurity.github.io/trivy)trivy image --scanners vuln --severity CRITICAL,HIGH --timeout 60m [...image address...]
trivy
. The provided scans were taken using a different scanner (ECR), so the first step should be to validate thattrivy
can see them as well.trivy
enables you to scan the image without pushing them, so it should help in finding the resolution