Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-41996 (MEDIUM): detected in Lambda Docker Images. #203

Open
the-lambda-watchdog opened this issue Oct 17, 2024 · 0 comments
Open

CVE-2024-41996 (MEDIUM): detected in Lambda Docker Images. #203

the-lambda-watchdog opened this issue Oct 17, 2024 · 0 comments

Comments

@the-lambda-watchdog
Copy link

CVE Details

CVE ID Severity Affected Package Installed Version Fixed Version Date Published Date of Scan
CVE-2024-41996 MEDIUM openssl-snapsafe-libs 1:3.0.8-1.amzn2023.0.14 1:3.0.8-1.amzn2023.0.16 2024-08-26T06:15:04.603Z 2024-10-16T10:18:17.557075642Z

Affected Docker Images

Image Name SHA
public.ecr.aws/lambda/provided:latest public.ecr.aws/lambda/provided@sha256:a78429f0c43c54b6fde88a6e49e3b1e14502e65d58133ac8e17fcfe5a74d4f3f
public.ecr.aws/lambda/provided:al2023 public.ecr.aws/lambda/provided@sha256:a78429f0c43c54b6fde88a6e49e3b1e14502e65d58133ac8e17fcfe5a74d4f3f
public.ecr.aws/lambda/python:latest public.ecr.aws/lambda/python@sha256:e0eed1c4a447cfadac34369181090b9d5616d52f385959e08c4e8f942a668a5d
public.ecr.aws/lambda/python:3.12 public.ecr.aws/lambda/python@sha256:e0eed1c4a447cfadac34369181090b9d5616d52f385959e08c4e8f942a668a5d
public.ecr.aws/lambda/nodejs:latest public.ecr.aws/lambda/nodejs@sha256:d846b18af23fe50dcf2d47af95892a71ac59df71a40b662bfef75a9e78e1cc30
public.ecr.aws/lambda/nodejs:20 public.ecr.aws/lambda/nodejs@sha256:d846b18af23fe50dcf2d47af95892a71ac59df71a40b662bfef75a9e78e1cc30
public.ecr.aws/lambda/java:latest public.ecr.aws/lambda/java@sha256:0959dc1da644c0e48615fb6729ca7b70b7f374dda131677ca646033a93bc6d2d
public.ecr.aws/lambda/java:21 public.ecr.aws/lambda/java@sha256:0959dc1da644c0e48615fb6729ca7b70b7f374dda131677ca646033a93bc6d2d
public.ecr.aws/lambda/dotnet:latest public.ecr.aws/lambda/dotnet@sha256:a6bad2e63b950dce59cc1bd1802211756281c6e975d6c6580ce0a94bb0c4215e
public.ecr.aws/lambda/dotnet:8 public.ecr.aws/lambda/dotnet@sha256:a6bad2e63b950dce59cc1bd1802211756281c6e975d6c6580ce0a94bb0c4215e
public.ecr.aws/lambda/ruby:latest public.ecr.aws/lambda/ruby@sha256:a84fe02daf2dd291c6361f2961820f2db08068504d8e4d95b5d8a6637b93c022
public.ecr.aws/lambda/ruby:3.3 public.ecr.aws/lambda/ruby@sha256:a84fe02daf2dd291c6361f2961820f2db08068504d8e4d95b5d8a6637b93c022

Description

Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

Remediation Steps

  • Update the affected package openssl-snapsafe-libs from version 1:3.0.8-1.amzn2023.0.14 to 1:3.0.8-1.amzn2023.0.16.

About this issue

  • This issue may not contain all the information about the CVE nor the images it affects.
  • This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
  • For more, visit Lambda Watchdog.
  • This issue was created automatically by Lambda Watchdog.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@the-lambda-watchdog