Amazon Linux 2 Security Advisory: ALAS-2020-1406 stays unresolved
Denusdv opened this issue · 3 comments
Hello support team
I'm facing the following problem addressing the Amazon Linux 2 Security Advisory: ALAS-2020-1406.
I updated my dockerfile to following the Security Advisory by adding yum update openssl.
https://alas.aws.amazon.com/AL2/ALAS-2020-1406.html
Unfortunately the images scanning keeps showing me the high risk vulnerability. I simplified my docker file almost to zero custom code.
Here is my base image docker file
# ---- Base Node ----
FROM amazoncorretto AS base
# set working directory
# Create app directory
RUN yum update kernel --assumeyes
RUN yum update libarchive --assumeyes
RUN yum update openssl --assumeyes
RUN yum update sqlite --assumeyes
previously. I opened an technical assistance request on through AWS support system but was
redirected to AWS JDK team. They believe that the issue is with the base image itself. As the base image amazoncorretto may not have the required packages for update in the mirror list, it was unable find the new patch for openssl. I see the CVE mentioned has been released on 2020-03-25 21:45 Pacific.
The image build is done on my local machine
Docker engine version:
Client:
Version: 17.12.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:03:51 2017
OS/Arch: darwin/amd64
Server:
Engine:
Version: 17.12.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:12:29 2017
OS/Arch: linux/amd64
Experimental: false
Hi @Denusdv ,
Thank you for opening this github issue. This repository is also owned by AWS JDK team. I will get in touch with my manager and get back to you regarding the next steps.
Thank you,
Prashanth