I have an ubuntu 22.04 LTS EC2 instance with security patches and Inspector2 enabled.
Inspector finds several vulnerabilities related to the outdated package libopenexr25
Facts:
- The remediation provided does not update anything
- The existing package is the one that the finding says it is vulnerable
- The fixed package does not exists in distribution
- The UBUNTU CVEs linked says Ubuntu 22 is not vulnerable (https://ubuntu.com/security/CVE-2021-26260)
How do I am supposed to fix this? Is it really a vulnerability or a failure in inspector rules. When does the vulns at inspector gets updated?
This is the finding dump redacted
{
"awsAccountId": "*****************************",
"description": " An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.",
"epss": {
"score": 0.00056
},
"exploitAvailable": "NO",
"findingArn": "arn:aws:inspector2:****************************************+",
"firstObservedAt": "2023-02-03T12:39:25.708Z",
"fixAvailable": "YES",
"lastObservedAt": "2023-07-03T07:04:32.694Z",
"packageVulnerabilityDetails": {
"cvss": [
{
"baseScore": 5.5,
"scoringVector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"source": "NVD",
"version": "3.1"
},
{
"baseScore": 4.3,
"scoringVector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"source": "NVD",
"version": "2.0"
}
],
"referenceUrls": [
"https://ubuntu.com/security/notices/USN-5620-1",
"https://ubuntu.com/security/notices/USN-5144-1",
"https://access.redhat.com/security/cve/CVE-2021-3933",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3933"
],
"relatedVulnerabilities": [],
"source": "UBUNTU_CVE",
"sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3933.html",
"vendorCreatedAt": "2022-03-25T19:15:00.000Z",
"vendorSeverity": "medium",
"vulnerabilityId": "CVE-2021-3933",
"vulnerablePackages": [
{
"arch": "X86_64",
"epoch": 0,
"fixedInVersion": "0:2.5.7-1ubuntu0.1~esm1",
"name": "libopenexr25",
"packageManager": "OS",
"release": "1",
"remediation": "apt update && apt install --only-upgrade libopenexr25",
"version": "2.5.7"
}
]
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"resources": [
{
"details": {
"awsEc2Instance": {
"iamInstanceProfileArn": "arn:aws:iam:*************************************",
"imageId": "ami-************************",
"ipV4Addresses": [
"*********",
"****************"
],
"ipV6Addresses": [],
"keyName": "id_************************",
"launchedAt": "2023-02-03T12:07:26.000Z",
"platform": "UBUNTU_22_04",
"subnetId": "subnet-*********************",
"type": "t3.medium",
"vpcId": "vpc-**********************"
}
},
"id": "i-**************************************",
"partition": "aws",
"region": "eu-west-1",
"tags": {
},
"type": "AWS_EC2_INSTANCE"
}
],
"severity": "MEDIUM",
"status": "ACTIVE",
"title": "CVE-2021-3933 - libopenexr25",
"type": "PACKAGE_VULNERABILITY",
"updatedAt": "2023-07-03T07:04:32.694Z"
}
But the finding is wrong or I am missing something? Don't want to throw it under the carpet w/o a valid reason