Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Aws Inspector Findings - (High severity) in cloudwatch-agent go binary #667

Closed
avosper-intellaegis opened this issue Jan 12, 2023 · 1 comment
Closed

Aws Inspector Findings - (High severity) in cloudwatch-agent go binary #667

avosper-intellaegis opened this issue Jan 12, 2023 · 1 comment

Comments

@avosper-intellaegis
Copy link

After installing the cloudwatch agent into a container image using a Dockerfile from an Ubuntu based image (from these instructions) and uploading it into Aws ECR, the Inspector service is identifying 5 High severity security issues within the installed go binary for the cloudwatch-agent:

One of these there is a published fix for which the cloudwatch-agent utility could possibly be updated to use:

Two of these are identified as having no current published resolutions:

Two of these appear to be an issue w/ identifying the version correctly (ticket currently opened w/ Aws Support for this):

Dockerfile used to build container image uploaded to Aws ECR for Inspector scanning:

FROM ubuntu:20.04

ENV DEBIAN_FRONTEND noninteractive

RUN apt -y update && \
    yes "Y" | DEBIAN_FRONTEND=noninteractive apt -y upgrade && \
    apt-get install -y ca-certificates curl && \
    rm -rf /var/lib/apt/lists/*

RUN curl -O https://s3.amazonaws.com/amazoncloudwatch-agent/debian/amd64/latest/amazon-cloudwatch-agent.deb && \
    dpkg -i -E amazon-cloudwatch-agent.deb && \
    rm -rf /tmp/* && \
    rm -rf /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard && \
    rm -rf /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl && \
    rm -rf /opt/aws/amazon-cloudwatch-agent/bin/config-downloader

RUN apt clean all

ENV RUN_IN_CONTAINER="True"
ENTRYPOINT ["/opt/aws/amazon-cloudwatch-agent/bin/start-amazon-cloudwatch-agent"]
@SaxyPandaBear
Copy link
Contributor

The kardianos finding is not valid. kardianos/service#289 (comment)

@khanhntd khanhntd closed this as completed Feb 7, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SaxyPandaBear @avosper-intellaegis @khanhntd