Hello,
We deploy our lambda functions using AWS CDK. Recently we found a few security hub issues which might be related to ComponentDeploymentStack--CustomCDKECRDeploymentbd-xxxxxxxxxx
. The remediation says to upgrade the version. But we are not sure where we should update since intentionally we do not use GoLang anywhere. Can you please help us?
The findings are as below:
CVE-2022-41723 - https://nvd.nist.gov/vuln/detail/CVE-2022-41723
Finding ID: arn:aws:inspector2:eu-central-1:580747714164:finding/da0e5f186961ec3c0c3a721e5b2ad597
HIGHA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
CVE-2022-32149 - https://nvd.nist.gov/vuln/detail/CVE-2022-32149
Finding ID: arn:aws:inspector2:eu-central-1:580747714164:finding/925519e11ff82edb5f5c29006b28f757
HIGHAn attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
CVE-2022-27664 - https://nvd.nist.gov/vuln/detail/CVE-2022-27664
Finding ID: arn:aws:inspector2:eu-central-1:580747714164:finding/3825d034cb386c027b9ea382664841b9
HIGHIn net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2023-27561 - https://nvd.nist.gov/vuln/detail/CVE-2023-27561
Finding ID: arn:aws:inspector2:eu-central-1:580747714164:finding/1874963ced14d94eed82b7166a61f634
HIGHrunc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
Which CDK version are you using?