openssl/openssl:3.0.15+quic vulnerable package

[abel-workera]

Describe the bug
AWS Inspector has detected that we are using a vulnerable package in our runners images

CVE-2022-2068
CVE-2022-1292
Affected packages
Name
openssl/openssl
Installed version / Fixed version
0:3.0.15+quic / Not available
Package manager
GENERIC
File paths
/home/runner/externals/node20/include/node/openssl/archs/BSD-x86/asm/include/openssl/opensslv.h and 56 more

[davidjoliver86]

I opened a case with AWS support about this too, and they confirmed that they are aware of this issue on their end with Inspector and that these findings can in fact be safely suppressed for now. They are trying to remedy the root cause on their end but currently don't have a timeline on that.

[abel-workera]

I opened a case with AWS support about this too, and they confirmed that they are aware of this issue on their end with Inspector and that these findings can in fact be safely suppressed for now. They are trying to remedy the root cause on their end but currently don't have a timeline on that.

Hi David,

Thank you for sharing this update. I’d like to better understand how this could be an issue with Inspector itself. Are the files detected in the Docker image not actually related to a vulnerable version? Or is it possible that Inspector is incorrectly flagging them based on outdated or inaccurate criteria?

Appreciate any clarification you can share.