Observability/apm-lambda-extension docker image causing vulnerabilities

SELENAAA · January 9, 2024, 9:41pm

I'm following this guide to add a nodejs apm agent to my container image based function; however, the observability/apm-lambda-extension is causing some scan image vulnerabilities with the package go. I'm searching for the list of versions for observability/apm-lambda-extension but cannot find anything in https://www.docker.elastic.co/. Could someone please help? Thanks

trentm · January 10, 2024, 1:14am

@SELENAAA The list of releases of the Elastic APM Lambda Extension is here: Releases · elastic/apm-aws-lambda · GitHub

I'm sure I am missing it, but I don't immediately see what part of the docs led you to using the published Docker images for the extension rather than the Lambda layer published to AWS.

Here is one of the pages on www.docker.elastic.co for the Lambda extension:
observability/apm-lambda-extension-x86_64 | Docker @ Elastic
There is one for each architecture. ... and I believe one just needs to know that URL, because it doesn't show up in search results on that site, unfortunately.

SELENAAA · January 10, 2024, 8:37pm

Hi, I tried the different versions of the apm lambda extension image, still seeing the scan image vulnerabilities with package go, I see CVE-2023-39325 when pulling the image, could you please take a look? Thanks

trentm · January 10, 2024, 9:07pm

@SELENAAA Can you show what tool or command is doing that scan? What is it that is showing the vulnerability? What image version is it checking? etc. More details would help us start looking.

trentm · January 10, 2024, 9:15pm

Okay, I believe I see what you mean:

% docker scout cves docker.elastic.co/observability/apm-lambda-extension-x86_64:latest
...
   0C     1H     2M     0L  stdlib 1.21.1
pkg:golang/stdlib@1.21.1

    ✗ HIGH CVE-2023-39325
      https://scout.docker.com/v/CVE-2023-39325
      Affected range : >=1.21.0-0
                     : <1.21.3
      Fixed version  : 1.21.3
...

SELENAAA · January 10, 2024, 9:20pm

yeah I'm using the latest version of apm lambda extension and the vulnerabilities that I'm seeing are the following:
CVE-2023-39323 | 9.80 | critical | Binary | go | 1.21.1 | fixed in 1.21.2, 1.20.9 | 13 Oct 23 20:00 UTC | NVD - CVE-2023-39323 |
CVE-2023-39325 | 7.50 | high | Binary | go | 1.21.1 | fixed in 1.21.3, 1.20.10 | 31 Oct 23 22:06 UTC | NVD - CVE-2023-39325 |
CVE-2023-45283 | 7.50 | high | Binary | go | 1.21.1 | fixed in 1.21.4, 1.20.11 | 15 Dec 23 11:55 UTC | NVD - CVE-2023-45283 |
CVE-2023-45285 | 7.50 | high | Binary | go | 1.21.1 | fixed in 1.21.5, 1.20.12 | 12 Dec 23 19:40 UTC | NVD - CVE-2023-45285 |

trentm · January 11, 2024, 5:58pm

@SELENAAA Thanks. We have an update here: build: bump docker image deps by trentm · Pull Request #431 · elastic/apm-aws-lambda · GitHub and will have a new 1.5.2 release out soon that should clear up the docker scout warnings.

SELENAAA · January 11, 2024, 6:27pm

Awesome, thank you so much for your help!

SELENAAA · January 11, 2024, 9:31pm

Just to provide a quick update, I tested the version 1.5.2, no longer seeing the docker vulnerabilities, again thanks for the help!

system · February 8, 2024, 9:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.