ALAS2-2021-1731 #90
Comments
|
hi, @codingtim,
From 17.0.1.12-1 to 1:17.0.1+12-3.amzn2.1, we add hotpatcher as dependency.
|
|
hi, @codingtim Meanwhile, we are working on a solution for this. |
|
@navyxliu I understand that the release will take some time. We will wait for now with our production release. If we need to hotfix something we will look into disabling the quality gate. Thank you for you swift responses. |
|
@codingtim we suggest that for now you can proceed with the Corretto image assuming you have either fixed any lingering log4j issue in your code, or can apply the hotpatch directly. We decided previously not to include the hotpatch in the base corretto image, and will work on what our path forward is. Does this unblock you? |
|
@yishaigalatzer I understand that we could safely proceed with the Corretto base image, we do not use log4j in our images. However our organization's security architects do not allow us to deploy to production if the ECR image scan shows critical vulnerabilities. Applying (installing) the hotpatch directly does not solve the ECR image scan critical vulnerability. The corretto package will still come up as a vulnerability because the version is flagged to contain the CVE. I can understand from your perspective that the hotpatch is not needed inside the docker image. However it is weird, and blocking us, that the official docker Corretto image is flagged by ECR image scan with a critical vulnerability.. |
|
@codingtim We try very hard to deliver an exceptional customer experience, and we realize that this is causing an issue for you. We apologize for this inconvenience. I just wanted to thank you for reporting the issue and let you know what we're doing. As a result of the efforts that took place responding to the log4j CVEs over the last couple of weeks, the issue you identified in this thread arose. It was an unintended side effect of trying to deliver the best possible customer experience to our AL2 customers. In doing so, as you already know, the ECR image scan reported (an erroneous) alarm for AL2/Corretto Docker images. We will post a notice under the Security section of the github ECR home page shortly to help any other users that may be impacted by the same issue. We are scheduled to deliver our quarterly Corretto release in January, and when that release is posted to our repository its version number will satisfy the ECR image scan, and this issue will be resolved (the ECR image scan will no longer report an error). Thank you, @codingtim, for bringing this issue to our attention. We very much appreciate it. |
|
This issue is resolved with the January release. |
Hi,
The al2 images currently use corretto version 17.0.1.12-1 from https://yum.corretto.aws/corretto.repo
This version has a critical security issue https://alas.aws.amazon.com/AL2/ALAS-2021-1731.html
Core al2 repo contains a fixed version 1:17.0.1+12-3.amzn2.1
Our ECR repo scan reports the ALAS2-2021-1731 resulting in deploy failures (our quality gates disallows deploying images with critical issues).
Would it be possible to use the "-3" version of the package so the security issue is no longer present?
It will be necessary to first get the updated package in the dedicated corretto repo https://yum.corretto.aws/corretto.repo
The text was updated successfully, but these errors were encountered: