gianlucabonetti

Hello Our automated container test tool also detected a vulnerable Snake YAML library inside the latest images. I did some image inspection and I found that inside the Docker image...

Upon further analysis I can say it is not Localstack fault or issue. Localstack uses Dynamodb_local from AWS. The official Dynamodb_local distribution can be download from: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.DownloadingAndRunning.html As of today...

The issue has been reported to AWS for security review of the Dynamodb_local bundles.

Hello I am afraid it is not fixed. I downloaded that file, which is the same on AWS page (sha256 875cb27dc7843d0d24263f0e1521280f9bfdf0ebf0e69fbd1b4cb00e7c8658e0) The file still contains a custom Log4j build, which...

Yes indeed I just downloaded the tarball file (with sha256 875cb27dc7843d0d24263f0e1521280f9bfdf0ebf0e69fbd1b4cb00e7c8658e0 so it is the latest one as published on website) but the same applies to zip file. Inside DynamoDBLocal_lib...

Yes I downloaded multiple times today and they always match sha256 875cb27dc7843d0d24263f0e1521280f9bfdf0ebf0e69fbd1b4cb00e7c8658e0 Then expanded the tarball and ran "unzip -v Log4j-core-2.x.jar" Zip file include the same Log4j-core-2.x.jar Thanks Gianluca

From our analysis, Log4j-core-2.x.jar includes a build of SnakeYaml from a vulnerable version. Not sure why a folder named "do_not_import" should be there, it looks like a build pipeline problem....

do_not _import does not show a security issue, but a build quality issue, and usually low quality builds carry security issues. The problem is *within* the do_not_import there is a...


Ok we re-inspected the dynamodb_local and SnakeYAML vulnerability is not there any more. However dynamodb_local includes more files containing vulnerabilities including some of high severity level. This includes: - ion-java-1.5.1...