AWS Inspector - Failed to detect the critical vulnerability in Grafana


We were using AWS Inspector for vulnerability management, but recently we identified by scanning via 3rd part tool, that the Grafana package has a critical vulnerability and AWS Inspector didn't find it.


Is the inspector not capable of scanning 3rd party packages?

We installed it on Amazon Linux 2 via the Yum repo.

1 Answer

Inspector consumes vulnerability data feeds from numerous sources; some are general feeds (like those from NVD), and some are vendor-specific (like those from Red Hat or ALAS). These feeds tell Inspector, among other things, the following pieces of information about each vulnerability:

  • The affected package and version
  • The affected platform (OS vendor and version information; e.g., RHEL 7.x)

When Inspector does an assessment it uses the on-host package database to get a listing of every installed package on the host. It also looks at the installed OS and its version. It is then compared to those with all of the CVE data it consumes and look for matches, and those matches become findings. For the Common Vulnerabilities & Exploits (CVE) rules package, Amazon Inspector has mapped the provided CVSS Base Scoring and ALAS Severity levels which can be found here

The CVE rules package is updated regularly; this list includes the CVEs that are included in assessments runs that occur at the same time that this list is retrieved. I am able to find CVE-2021-43798 in this rules list so theoretically this shall have been detected. [ Note: You can cross verify with your region specific list as well.] However, the final finding / classification depends on customer policies and rules. Same applies to further analysis in case you have to classify the findings as Not-Actionable or False positive if your system is not impacted. If this does not help, I suggest opening a case with AWS Support to verify your configuration.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions