search

rust-serverless / lambda-rust

🐳 🦀 a dockerized lambda build env for rust applications
MIT License
34 stars 8 forks source link

Vulnerable base Amazon image #33

Open zamazan4ik opened 2 years ago

zamazan4ik commented 2 years ago

According to the CI, our base Amazon image has security issues: https://github.com/rust-serverless/lambda-rust/runs/4399791210?check_suite_focus=true

+--------------------+------------------+----------+-------------------+--------------------+---------------------------------------+
|      LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION    |                 TITLE                 |
+--------------------+------------------+----------+-------------------+--------------------+---------------------------------------+
| nspr               | CVE-2021-43527   | CRITICAL | 4.25.0-2.amzn2    | 4.32.0-1.amzn2     | nss: Memory corruption in             |
|                    |                  |          |                   |                    | decodeECorDsaSignature with           |
|                    |                  |          |                   |                    | DSA signatures (and RSA-PSS)          |
|                    |                  |          |                   |                    | -->avd.aquasec.com/nvd/cve-2021-43527 |
+--------------------+                  +          +-------------------+--------------------+                                       +
| nss                |                  |          | 3.53.1-7.amzn2    | 3.67.0-4.amzn2.0.1 |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
+--------------------+                  +          +-------------------+--------------------+                                       +
| nss-softokn        |                  |          | 3.53.1-6.amzn2    | 3.67.0-3.amzn2     |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
+--------------------+                  +          +                   +                    +                                       +
| nss-softokn-freebl |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
+--------------------+                  +          +-------------------+--------------------+                                       +
| nss-sysinit        |                  |          | 3.53.1-7.amzn2    | 3.67.0-4.amzn2.0.1 |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
+--------------------+                  +          +                   +                    +                                       +
| nss-tools          |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
+--------------------+                  +          +-------------------+--------------------+                                       +
| nss-util           |                  |          | 3.53.1-1.amzn2    | 3.67.0-1.amzn2     |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
|                    |                  |          |                   |                    |                                       |
+--------------------+------------------+----------+-------------------+--------------------+---------------------------------------+

We need somehow fix it. Maybe, we need just wait for the fix from AWS side and possibly bump our base image version. Also, we can somehow highlight the issue to the AWS related people.

zamazan4ik commented 2 years ago

@jerusdp maybe you have some ideas?

jerusdp commented 2 years ago

@zamazan4ik Report an issue link on the aws repository here:https://gallery.ecr.aws/lambda/provided

In the interim amend code to last month's tag (al2.2021.11.08.18) instead of latest.