Amazonlinux2 has security vulnerability in cronie1.4.11

Question

Hi,
We are using the amazonlinux2 as base image for one of our application and this image has security vulnerability in  cronie1.4.11, so the recommended version is cronie1.5.2. I tried to update the cronie package but it says **No packages marked for update**. can anyone guide how to update to the recommended version or can this to be upgraded in  amazonlinux2 base image itself.

Thanks,
Noor Kumar

Answer

Hello Noor Kumar,

As I understand, you are getting a security vulnerability message for `cronie1.4.11` on Amazon Linux 2, and when trying to update package to `cronie1.5.2`, you are seeing the following message:
> No packages marked for update

The last known CVE I could find was CVE-2019-9704 that was resolved in cronie1.4.11-23 that comes with Amazon Linux 2 base image.

```
# rpm -qa --changelog cronie
* Wed Feb 13 2019 Marcel Plch  - 1.4.11-23
- Make cronie restart on failure
- Resolves: rhbz#1651730
```

Therefore, please share the CVE that you are trying to mitigate. Also, could you please share whether you are using a third party scanner which is marking the package as vulnerable, and if yes, which one?

Additionally, you can also open a support case with AWS Premium Support to get immediate assistance for your specific use case.

Amazonlinux2 has security vulnerability in cronie1.4.11

Relevant content