False positive from Inspector2

Question

Hello,

Inspector2 is reporting that a freshly-built EC2 instance is vulnerable to [CVE-2021-44731](https://nvd.nist.gov/vuln/detail/CVE-2021-44731) (affecting `snap` v2.54.2), but our installed version is 2.54.3:

```
$ snap --version
snap    2.54.3+18.04.2ubuntu0.1
snapd   2.54.3+18.04.2ubuntu0.1
series  16
ubuntu  18.04
kernel  5.4.0-1066-aws
```

I haven't found any other versions of `snap` on the instance. Any idea what would cause this?

Thanks in advance,
Eugene

Answer

We are on the Basic Support Plan, unfortunately. I spent a couple hours looking into this today, and still believe Inspector2 is misreporting. Here's an excerpt from the finding:

```
    ...
    "vulnerabilityId": "CVE-2021-44731",
    "vulnerablePackages": [
      {
        "arch": "ALL",
        "epoch": 0,
        "name": "snapd",
        "packageManager": "OS",
        "version": "2.54.3"
      }
    ],
    ...

```

And from [CVE-2021-44731](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44731):

> Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

I'd rather not suppress this finding. Does anyone have any other suggestions?

Answer

Please create a support [case](https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case) providing details for the AWS support team to investigate and provide guidance on this.

Thanks.

False positive from Inspector2

相關內容