bschwedler
commented
3 weeks ago @securian-bpmcd Thank you for reporting these!
Do you still see these vulnerabilities in the latest image?
rstudio/r-session-complete:ubuntu2204-2024.09.0Open securian-bpmcd opened 10 months ago
bschwedler
commented
3 weeks ago @securian-bpmcd Thank you for reporting these!
Do you still see these vulnerabilities in the latest image?
rstudio/r-session-complete:ubuntu2204-2024.09.0
securian-bpmcd
commented
1 week ago @bschwedler We're using RStudio on SageMaker and the most recent version that we can use to match the AWS environment is 2024.04.2
securian-bpmcd
commented
1 week ago The 2024.04.2 image scan reports the following CVEs: CVE-2024-24790 CVE-2023-24540 CVE-2023-24538
bschwedler
commented
6 days ago Ah, thanks for the added detail on where you are seeing this. AWS builds and deploys the container image running in SageMaker. It starts from the public container images defined in this repository and AWS further customizes the Workbench image to add the functionality required for SageMaker.
I also want to add a little more detail around patching and rebuilding previous versions of the container images.
We are currently routinely rebuilding the most recent version of the container images to pick up OS and package security updates.
The current repository structure makes it difficult to use the same rebuild process for previous container versions. We are working to improve the workflows as well as the visibility of our internal scan results.
The below CVEs affect Go 1.19. These were found by our Prisma Cloud Scan tool while scanning the current (12/27/2023) "rstudio/r-session-complete:jammy-2023.03.2" image.
CVE-2023-39323 Go CVE-2023-29405 Go CVE-2023-29404 Go CVE-2023-29402 Go CVE-2023-24540 Go CVE-2023-24538 Go