1 Answer
- Newest
- Most votes
- Most comments
0
So after further research, I am 95% sure that despite vulnerability scans showing that the instances are simply running nginx 1.20.0, they are in fact running release 2.amzn2.0.4 of nginx 1.20.0. The vulnerability was patched in release 2.amzn2.0.3. The problem remains getting the security scan to accept this. One solution found is detailed here - https://github.com/aws/elastic-beanstalk-roadmap/issues/194 - essentially force an install of nginx 1.20.1 (or 1.20.2).
answered 2 years ago
Relevant content
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated a year ago- How do I customize my nginx configuration to modify the "client_max_body_size" in Elastic Beanstalk?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 15 days ago
This answer matches the info found here: https://github.com/aws/elastic-beanstalk-roadmap/issues/221 . This is potentially very confusing. We've wasted days on this particular issue to satisfy a pen test audit (it's not clear how to update or change the nginx packages being used in the beanstalk images).
We also have a number of issues being flagged to CVE's related to openssh. This too appears to be an Amazon Specific build of openssh so it's currently unclear if these issues have been fixed and the pen test software is simply reporting a potential issue based on incorrectly understanding the package version that is running.