By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Containers based on Red Hat UBI 8 not scanned in ECR by Amazon Inspector

0

Hello,

I pushed containers based on Red Hat UBI 8, which is a subset of RHEL 8. More than that, as stated by Red Hat: "UBI is RHEL. It’s not a downstream rebuild" (source: https://developers.redhat.com/blog/2019/10/09/what-is-red-hat-universal-base-image).

Problem is: my containers are not scanned by Amazon Inspector. When I click on "See findings" in "Vulnerabilities" column I got "Scan status: UNSUPPORTED_IMAGE". The documentation mentions RHEL 8 as being supported though: https://docs.aws.amazon.com/inspector/latest/user/supported.html

I don't know how Inspector determines the OS in use but it seems it does not properly recognize UBI as RHEL (content of '/etc/redhat-release' file on UBI is clear enough: "Red Hat Enterprise Linux release 8.5 (Ootpa)"). Any idea? Thanks

Topics
ContainersSecurity, Identity, & Compliance
Tags
Amazon Elastic Container Registry (ECR)Amazon InspectorContainers
Language
English
AWS-User-4447491
asked 2 years ago977 views
3 Answers
0
Accepted Answer

FYI I did open a case at AWS support and they were able to repro the issue. It happens that the issue can be seen when you use podman to build images. Such images, once pushed into ECR, will show "UNSUPPORTED_IMAGE" scan status.

They now have fixed that and ECR Enhanced Scanning works properly on both Docker and Podman built images.

AWS-User-4447491
answered 2 years ago
0

I tried to push ubi8/ubi:8.5-200 in my environment.

As a result, a scan was performed, and one vulnerability was detected.

Here is the result of referring to findings in AWS CLI.

$ aws inspector2 list-findings
{
    "findings": [
        {
            "awsAccountId": "123456789012",
            "description": "A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. An attacker could exploit this to deceive a human reviewer by creating a malicious patch containing well placed BiDi characters. The special handling and rendering of those characters can be then used in an attempt to hide unexpected and potentially dangerous behaviour from the reviewer.",
            "findingArn": "arn:aws:inspector2:ap-northeast-1:123456789012:finding/0b9c60a7b1ddba6e914d21aa04cf****",
            "firstObservedAt": "2021-12-23T03:06:02.647000+00:00",
            "inspectorScore": 8.5,
            "inspectorScoreDetails": {
                "adjustedCvss": {
                    "adjustments": [],
                    "cvssSource": "REDHAT_CVE",
                    "score": 8.5,
                    "scoreSource": "REDHAT_CVE",
                    "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                    "version": "3.1"
                }
            },
            "lastObservedAt": "2021-12-23T03:06:02.647000+00:00",
            "packageVulnerabilityDetails": {
                "cvss": [
                    {
                        "baseScore": 8.5,
                        "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                        "source": "REDHAT_CVE",
                        "version": "3.1"
                    },
                    {
                        "baseScore": 5.1,
                        "scoringVector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
                        "source": "NVD",
                        "version": "2.0"
                    },
                    {
                        "baseScore": 8.3,
                        "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                        "source": "NVD",
                        "version": "3.1"
                    }
                ],
                "referenceUrls": [
                    "https://access.redhat.com/errata/RHSA-2021:4037",
                    "https://access.redhat.com/errata/RHSA-2021:4730",
                    "https://access.redhat.com/errata/RHSA-2021:4598",
                    "https://access.redhat.com/errata/RHSA-2021:4036",
                    "https://access.redhat.com/errata/RHSA-2021:4596",
                    "https://access.redhat.com/errata/RHSA-2021:4035",
                    "https://access.redhat.com/errata/RHSA-2021:4034",
                    "https://access.redhat.com/errata/RHSA-2021:4694",
                    "https://access.redhat.com/errata/RHSA-2021:4595",
                    "https://access.redhat.com/errata/RHSA-2021:4039",
                    "https://access.redhat.com/errata/RHSA-2021:4038",
                    "https://access.redhat.com/errata/RHSA-2021:4599",
                    "https://access.redhat.com/errata/RHSA-2021:4590",
                    "https://access.redhat.com/errata/RHSA-2021:4033",
                    "https://access.redhat.com/errata/RHSA-2021:4594",
                    "https://access.redhat.com/errata/RHSA-2021:4593",
                    "https://access.redhat.com/errata/RHSA-2021:4592",
                    "https://access.redhat.com/errata/RHSA-2021:4591",
                    "https://access.redhat.com/errata/RHSA-2021:4649",
                    "https://access.redhat.com/errata/RHSA-2021:4669",
                    "https://access.redhat.com/errata/RHSA-2021:4724",
                    "https://access.redhat.com/errata/RHSA-2021:4729",
                    "https://access.redhat.com/errata/RHSA-2021:4587",
                    "https://access.redhat.com/errata/RHSA-2021:4586",
                    "https://access.redhat.com/errata/RHSA-2021:4585",
                    "https://access.redhat.com/errata/RHSA-2021:4723",
                    "https://access.redhat.com/errata/RHSA-2021:4602",
                    "https://access.redhat.com/errata/RHSA-2021:4601",
                    "https://access.redhat.com/errata/RHSA-2021:4600",
                    "https://access.redhat.com/errata/RHSA-2021:4743",
                    "https://access.redhat.com/errata/RHSA-2021:4589",
                    "https://access.redhat.com/errata/RHSA-2021:4588"
                ],
                "relatedVulnerabilities": [],
                "source": "REDHAT_CVE",
                "sourceUrl": "https://access.redhat.com/security/cve/CVE-2021-42574",
                "vendorCreatedAt": "2021-11-01T00:00:00+00:00",
                "vendorSeverity": "Moderate",
                "vulnerabilityId": "CVE-2021-42574",
                "vulnerablePackages": [
                    {
                        "arch": "X86_64",
                        "epoch": 0,
                        "name": "libgcc",
                        "packageManager": "OS",
                        "release": "3.el8",
                        "sourceLayerHash": "sha256:ce3c6836540f978b55c511d236429e26b7a45f5a6f1204ab8d4378afaf77332f",
                        "version": "8.5.0"
                    },
                    {
                        "arch": "X86_64",
                        "epoch": 0,
                        "name": "libstdc++",
                        "packageManager": "OS",
                        "release": "3.el8",
                        "sourceLayerHash": "sha256:ce3c6836540f978b55c511d236429e26b7a45f5a6f1204ab8d4378afaf77332f",
                        "version": "8.5.0"
                    }
                ]
            },
            "remediation": {
                "recommendation": {
                    "text": "This issue can be mitigated by ensuring code commits get a proper review. All new commits can also be scanned for the presence of BiDi characters before accepting the commit."
                }
            },
            "resources": [
                {
                    "details": {
                        "awsEcrContainerImage": {
                            "architecture": "amd64",
                            "imageHash": "sha256:8ee9d7bbcfc19d383f9044316a5c5fbcbe2df6be3c97f6c7a5422527b29bdede",
                            "imageTags": [
                                "8.5-200"
                            ],
                            "platform": "RHEL_8",
                            "pushedAt": "2021-12-23T03:05:54+00:00",
                            "registry": "123456789012",
                            "repositoryName": "test/ubi8/ubi"
                        }
                    },
                    "id": "arn:aws:ecr:ap-northeast-1:123456789012:repository/test/ubi8/ubi/sha256:8ee9d7bbcfc19d383f9044316a5c5fbcbe2df6be3c97f6c7a5422527b29bdede",
                    "partition": "N/A",
                    "region": "N/A",
                    "tags": {},
                    "type": "AWS_ECR_CONTAINER_IMAGE"
                }
            ],
            "severity": "HIGH",
            "status": "ACTIVE",
            "title": "CVE-2021-42574 - libgcc, libstdc++",
            "type": "PACKAGE_VULNERABILITY",
            "updatedAt": "2021-12-23T03:06:02.647000+00:00"
        }
    ]
}
profile picture
hayao-k
answered 2 years ago
0

Following what you did, I pushed the original ubi8/ubi:8.5-214: in this case ECR scanning works and no findings were reported (no CVE currently).

Then I pushed an image built using super simple following DockerFile:

FROM registry.access.redhat.com/ubi8/ubi:8.5-214

CMD ["/bin/bash"]

And then ECR scanning failed with "Scan status: UNSUPPORTED_IMAGE". Note that I use the AWS Console since using the CLI (aws inspector2 list-findings --filter-criteria '{"ecrImageRepositoryName": [{"comparison": "EQUALS", "value": "<your repo name>"}]}') always reports no findings.

AWS-User-4447491
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content