Observability/apm-lambda-extension docker image causing vulnerabilities

I'm following this guide to add a nodejs apm agent to my container image based function; however, the observability/apm-lambda-extension is causing some scan image vulnerabilities with the package go. I'm searching for the list of versions for observability/apm-lambda-extension but cannot find anything in https://www.docker.elastic.co/. Could someone please help? Thanks

@SELENAAA The list of releases of the Elastic APM Lambda Extension is here: Releases · elastic/apm-aws-lambda · GitHub

I'm sure I am missing it, but I don't immediately see what part of the docs led you to using the published Docker images for the extension rather than the Lambda layer published to AWS.

Here is one of the pages on www.docker.elastic.co for the Lambda extension:
observability/apm-lambda-extension-x86_64 | Docker @ Elastic
There is one for each architecture. ... and I believe one just needs to know that URL, because it doesn't show up in search results on that site, unfortunately.

Hi, I tried the different versions of the apm lambda extension image, still seeing the scan image vulnerabilities with package go, I see CVE-2023-39325 when pulling the image, could you please take a look? Thanks

@SELENAAA Can you show what tool or command is doing that scan? What is it that is showing the vulnerability? What image version is it checking? etc. More details would help us start looking.

Okay, I believe I see what you mean:

% docker scout cves docker.elastic.co/observability/apm-lambda-extension-x86_64:latest
...
   0C     1H     2M     0L  stdlib 1.21.1
pkg:golang/stdlib@1.21.1

    ✗ HIGH CVE-2023-39325
      https://scout.docker.com/v/CVE-2023-39325
      Affected range : >=1.21.0-0
                     : <1.21.3
      Fixed version  : 1.21.3
...

yeah I'm using the latest version of apm lambda extension and the vulnerabilities that I'm seeing are the following:
CVE-2023-39323 | 9.80 | critical | Binary | go | 1.21.1 | fixed in 1.21.2, 1.20.9 | 13 Oct 23 20:00 UTC | NVD - CVE-2023-39323 |
CVE-2023-39325 | 7.50 | high | Binary | go | 1.21.1 | fixed in 1.21.3, 1.20.10 | 31 Oct 23 22:06 UTC | NVD - CVE-2023-39325 |
CVE-2023-45283 | 7.50 | high | Binary | go | 1.21.1 | fixed in 1.21.4, 1.20.11 | 15 Dec 23 11:55 UTC | NVD - CVE-2023-45283 |
CVE-2023-45285 | 7.50 | high | Binary | go | 1.21.1 | fixed in 1.21.5, 1.20.12 | 12 Dec 23 19:40 UTC | NVD - CVE-2023-45285 |

@SELENAAA Thanks. We have an update here: build: bump docker image deps by trentm · Pull Request #431 · elastic/apm-aws-lambda · GitHub and will have a new 1.5.2 release out soon that should clear up the docker scout warnings.

1 Like

Awesome, thank you so much for your help!

Just to provide a quick update, I tested the version 1.5.2, no longer seeing the docker vulnerabilities, again thanks for the help!

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.