We just recently updated our EKS v1.24 instances to the latest baseline AMI image provided by Amazon: amazon/amazon-eks-node-1.24-v20231106
When looking at the Inspector results, it shows that there are two vulnerabilities with this image related to the Docker package (CVE-2023-39325 and CVE-2023-24540). Inspector says that there is a fix available for the package, and that we have to update the package from 0:20.10.23-1.amzn2.0.1.X86_64 up to 0:20.10.25-1.amzn2.0.3. However, when I log into the instance and try to use "Yum update docker" I am told that there are no new packages available. Even running a "yum --showduplicate list docker" shows that only version 20.10.23 is available in the available repo.
Why would the AWS Inspector screen tell me that I have to update the package, if a new package is not available in [amazon-lunix-extras] and I am unable to actually perform the update? This is ruining our security metrics, as it is showing as vulnerable but we are unable to update the AMI due to the new package version not being available.
AWS 官方已更新 1 年前