Is nginx on Elastic Beanstalk vulnerable to 1-byte memory overwrite?
We are working with a cybersecurity group to improve our overall cybersecurity on our applications. They have identified a possible problem on our Elastic Beanstalk environments. Even though they are up-to-deate as far as platform version goes on a currently supported platform (Ruby 2.7 Linux 2 with the latest version), they appear to run nginx 1.20.0. nginx 1.20.1 fixes the security vulnerability in question.
Is there a reasonable way for us to force usage of nginx 1.20.2? Absent that, any suggestions on how to remediate this issue?
So after further research, I am 95% sure that despite vulnerability scans showing that the instances are simply running nginx 1.20.0, they are in fact running release 2.amzn2.0.4 of nginx 1.20.0. The vulnerability was patched in release 2.amzn2.0.3. The problem remains getting the security scan to accept this. One solution found is detailed here - https://github.com/aws/elastic-beanstalk-roadmap/issues/194 - essentially force an install of nginx 1.20.1 (or 1.20.2).
Relevant questions
Installing JDK on Amazon Elastic Beanstalk instances
asked 3 years agoelastic beanstalk
asked 3 months agoCan GraphQL be deployed to Elastic Beanstalk?
Accepted Answerasked 2 years agoAre complaint mails effecting our server?
asked 6 days agoHow to configure parameters (maximum file size and timeout) in an elastic beanstalk machines ?
asked 2 months agoIs nginx on Elastic Beanstalk vulnerable to 1-byte memory overwrite?
asked 4 months agoElastic Beanstalk (AL2) Memory usage
Accepted Answerasked 5 months agoElastic Beanstalk with OpenLiteSpeed web server.
asked 2 months agosqsd 404 when posting messages to our app only on new Elastic Beanstalk instances
Accepted Answerasked 11 days agoProblems mapping specific folder as a subdomain with Elastic Beanstalk
asked 3 years ago