Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-2236 (MEDIUM): detected in Lambda Docker Images. #202

Open
the-lambda-watchdog opened this issue Oct 17, 2024 · 0 comments
Open

CVE-2024-2236 (MEDIUM): detected in Lambda Docker Images. #202

the-lambda-watchdog opened this issue Oct 17, 2024 · 0 comments

Comments

@the-lambda-watchdog
Copy link

CVE Details

CVE ID Severity Affected Package Installed Version Fixed Version Date Published Date of Scan
CVE-2024-2236 MEDIUM libgcrypt 1.10.2-1.amzn2023.0.1 1.10.2-1.amzn2023.0.2 2024-03-06T22:15:57.977Z 2024-10-16T10:18:17.557075642Z

Affected Docker Images

Image Name SHA
public.ecr.aws/lambda/provided:latest public.ecr.aws/lambda/provided@sha256:a78429f0c43c54b6fde88a6e49e3b1e14502e65d58133ac8e17fcfe5a74d4f3f
public.ecr.aws/lambda/provided:al2023 public.ecr.aws/lambda/provided@sha256:a78429f0c43c54b6fde88a6e49e3b1e14502e65d58133ac8e17fcfe5a74d4f3f
public.ecr.aws/lambda/python:latest public.ecr.aws/lambda/python@sha256:e0eed1c4a447cfadac34369181090b9d5616d52f385959e08c4e8f942a668a5d
public.ecr.aws/lambda/python:3.12 public.ecr.aws/lambda/python@sha256:e0eed1c4a447cfadac34369181090b9d5616d52f385959e08c4e8f942a668a5d
public.ecr.aws/lambda/nodejs:latest public.ecr.aws/lambda/nodejs@sha256:d846b18af23fe50dcf2d47af95892a71ac59df71a40b662bfef75a9e78e1cc30
public.ecr.aws/lambda/nodejs:20 public.ecr.aws/lambda/nodejs@sha256:d846b18af23fe50dcf2d47af95892a71ac59df71a40b662bfef75a9e78e1cc30
public.ecr.aws/lambda/java:latest public.ecr.aws/lambda/java@sha256:0959dc1da644c0e48615fb6729ca7b70b7f374dda131677ca646033a93bc6d2d
public.ecr.aws/lambda/java:21 public.ecr.aws/lambda/java@sha256:0959dc1da644c0e48615fb6729ca7b70b7f374dda131677ca646033a93bc6d2d
public.ecr.aws/lambda/dotnet:latest public.ecr.aws/lambda/dotnet@sha256:a6bad2e63b950dce59cc1bd1802211756281c6e975d6c6580ce0a94bb0c4215e
public.ecr.aws/lambda/dotnet:8 public.ecr.aws/lambda/dotnet@sha256:a6bad2e63b950dce59cc1bd1802211756281c6e975d6c6580ce0a94bb0c4215e
public.ecr.aws/lambda/ruby:latest public.ecr.aws/lambda/ruby@sha256:a84fe02daf2dd291c6361f2961820f2db08068504d8e4d95b5d8a6637b93c022
public.ecr.aws/lambda/ruby:3.3 public.ecr.aws/lambda/ruby@sha256:a84fe02daf2dd291c6361f2961820f2db08068504d8e4d95b5d8a6637b93c022

Description

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation Steps

  • Update the affected package libgcrypt from version 1.10.2-1.amzn2023.0.1 to 1.10.2-1.amzn2023.0.2.

About this issue

  • This issue may not contain all the information about the CVE nor the images it affects.
  • This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
  • For more, visit Lambda Watchdog.
  • This issue was created automatically by Lambda Watchdog.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@the-lambda-watchdog