Amazonlinux2 has security vulnerability in cronie1.4.11

0

Hi, We are using the amazonlinux2 as base image for one of our application and this image has security vulnerability in cronie1.4.11, so the recommended version is cronie1.5.2. I tried to update the cronie package but it says No packages marked for update. can anyone guide how to update to the recommended version or can this to be upgraded in amazonlinux2 base image itself.

Thanks, Noor Kumar

asked 2 years ago256 views
1 Answer
0

Hello Noor Kumar,

As I understand, you are getting a security vulnerability message for cronie1.4.11 on Amazon Linux 2, and when trying to update package to cronie1.5.2, you are seeing the following message:

No packages marked for update

The last known CVE I could find was CVE-2019-9704 that was resolved in cronie1.4.11-23 that comes with Amazon Linux 2 base image.

# rpm -qa --changelog cronie
* Wed Feb 13 2019 Marcel Plch <mplch@redhat.com> - 1.4.11-23
- Make cronie restart on failure
- Resolves: rhbz#1651730

Therefore, please share the CVE that you are trying to mitigate. Also, could you please share whether you are using a third party scanner which is marking the package as vulnerable, and if yes, which one?

Additionally, you can also open a support case with AWS Premium Support to get immediate assistance for your specific use case.

AWS
SUPPORT ENGINEER
answered 2 years ago
  • Thanks Akshay for your reply.

    We are using the blackduck scan and CVE number is BDSA-2019-0866 CVE-2019-9704.

    Looks it is using cronie-anacron/1.4.11-17.el7/ppc64, how can I upgrade to 1.4.11-23 version ?

    Thanks.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions