By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Inspector Package Vulnerability - Remediated version not present

0

AWS Inspector has surfaced a couple of high vulnerabilities related to runc and containerd on some of our ec2 instances with Amazon Linux 2 installed in the past few days, and the CVE shows the remediated version, yet the ec2 instances affected don't seem to actually have the remediated version available to install in their package repos.

Here's one of the CVEs (runc), for example:

CVE-2023-29406 - runc

Installed version / Fixed version

0:1.1.7-1.amzn2.X86_64 / 0:1.1.7-2.amzn2

$ yum list installed | grep runc
runc.x86_64                           1.1.7-1.amzn2                  @amzn2extra-docker

$ sudo yum update runc
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.7 kB  00:00:00
amzn2extra-docker | 3.0 kB  00:00:00
amzn2extra-kernel-5.10 | 3.0 kB  00:00:00
No packages marked for update

These vulnerabilities are 6 days old now - if the updated packages don't come soon, we'll breach our SLAs. Why are the remediated versions not available?

Topics
ComputeSecurity, Identity, & Compliance
Tags
Amazon EC2Amazon InspectorAmazon Linux
Language
English
jasong
asked 9 months ago390 views
2 Answers
1
Accepted Answer

Hello,

I understand that you want to know remediation steps for the vulnerability flagged for packages runc and containerd.

I have checked your concern and could see that vulnerability package fixes for runc and containerd are not pushed yet. I have checked with our internal team and they are actively working on pushing the latest packages soon, but I can't provide exact ETA for the same. However you can use the below to fix the issue in the meantime.

function update_containerd() {
    if ! rpm -q containerd > /dev/null; then
        echo "Will not update: containerd is not installed"
        return
    fi

    # Check if 'aws-nitro-enclaves-cli' is already enabled
    if ! grep -qri aws-nitro-enclaves-cli /etc/yum.repos.d/; then
        echo "Installing and disabling 'aws-nitro-enclaves-cli' repository"
        sudo amazon-linux-extras enable aws-nitro-enclaves-cli
        sudo sed -i '/amzn2extra-aws-nitro-enclaves-cli/,$ s/enabled.*/enabled = 0/' /etc/yum.repos.d/amzn2-extras.repo
    fi
    sudo yum -y update --enablerepo=amzn2extra-aws-nitro-enclaves-cli containerd runc
}
update_containerd

Hope this helps. Please do let me know if you have any further queries or concerns. Have a great day ahead!!

AWS
Abijith_S
answered 9 months ago
  • jasong
    8 months ago

    Thanks - this was helpful. I'm not sure exactly what the cleanup process will be later (whether I should remove this aws-nitro-enclaves-cli entirely once the default repos catch up with this patch), but at least I believe the vulnerabilities are resolved.

0

Hello, I face the same issue for runc, containerd, docker but also kernel since a few weeks on my EC2 instances. Patch Manager is not able to update those packages. Neither manually with "yum update" This situation triggers many vulnerabilities detected by Amazon Inspector. It tried the remediation proposed is this post (script) but it didn't work to fix the CVEs, even if the function seems OK. Is there any workaround ? Thanks for your help.

Elo
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content