Amazon Linux 2 - How can I know if a CVE has been patched?

0

Hi,

My question is - how can we see what CVEs are patched? Where is it recorded if Amazon Linux has patched a particular CVE? There is the security centre here: https://alas.aws.amazon.com/alas2.html, however, that only lists the advisories as far as I can tell - it doesn't say what's patched and what isn't. Is it the case that if an item there shows that there are new packages, we can just assume it's patched in AL? Thanks in advance for any help.

Context We've had a pen test conducted in our Elastic Beanstalk / Amazon Linux 2 environment. It flagged some potential common vulnerability & exposures (CVEs) - a number of which turned out to be false positives as Amazon Linux maintains its own release of packages. We found that Nginx running in our environment was not version 1.20.0 - vulnerable to CVE-2021-23017, but was version 1.20.0, release 2.amzn.2.0.4 - which according to https://github.com/aws/elastic-beanstalk-roadmap/issues/221 , has been patched against this vulnerability. Having the same version number for each seems like a recipee for disaster. It certainly cost me a few days time trying to look into the issue.

[ec2-user@ip-x ~]$ yum info nginx
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
207 packages excluded due to repository priority protections
Installed Packages
Name        : nginx
Arch        : aarch64
Epoch       : 1
Version     : 1.20.0
Release     : 2.amzn2.0.4
Size        : 1.7 M
Repo        : installed
From repo   : amzn2extra-nginx1

I've a number of other CVE's that I need to determine if our elastic beanstalk environment is potentially compromised by: If I can just look them up, it would be helpful.

OpenSSH <= 8.6 Command Injection Vulnerability CVE-2021-23017
Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSH, D(HE)ater) CVE-2002-20001
nginx <= 1.21.1 Information Disclosure Vulnerability CVE-2013-0337
OpenSSH 6.2 <= 8.7 Privilege Escalation Vulnerability CVE-2021-41617
OpenBSD OpenSSH <= 7.9 Multiple Vulnerabilities CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111
OpenBSD OpenSSH Information Disclosure Vulnerability (CVE-2020-14145) CVE-2020-14145
SSL/TLS: BREACH attack against HTTP compression CVE-2013-3587
OpenSSH 'auth2-gss.c' User Enumeration Vulnerability - Linux CVE-2018-15919
OpenSSH 'sftp-server' Security Bypass Vulnerability (Linux) CVE-2017-15906
OpenSSH < 7.8 User Enumeration Vulnerability - Linux CVE-2018-15473
OpenSSH Information Disclosure Vulnerability (CVE-2016-20012) CVE-2016-20012

1 Answer
0

This is not a direct way to know which CVEs are patched in your instance, but you can go through the steps below to check:

  1. Use Amazon Inspector to identify the CVE issues in your instance. There is a new Amazon Inspector that is faster in identifying these, but personally I still currently prefer the Amazon Inspector Classic as I know how to specify which particular EC2 instance I want to include in the security assessment (by using Tags).
  1. Once Amazon Inspector is done with the assessment, check the CVE findings in your instance.

  2. Compare the CVE findings of your instance against the CVE rules package included in Amazon Inspector. [Note: The rules package in the link is for Amazon Inspector Classic.]

profile picture
joahna
answered 2 years ago
  • Thanks for the response - I'll take a look.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions