diff --git a/packages/aws/_dev/build/docs/inspector.md b/packages/aws/_dev/build/docs/inspector.md index 02c767299f8..71bc2ce472e 100644 --- a/packages/aws/_dev/build/docs/inspector.md +++ b/packages/aws/_dev/build/docs/inspector.md @@ -1,15 +1,19 @@ # Inspector -The [AWS Inspector](https://docs.aws.amazon.com/inspector/) integration collects and parses data from AWS Inspector [Findings](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListFindings.html) REST APIs. +The [Amazon Inspector](https://docs.aws.amazon.com/inspector/) integration collects and parses data from Amazon Inspector [Findings](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListFindings.html) REST APIs. **IMPORTANT: Extra AWS charges on API requests will be generated by this integration. Check [API Requests](https://www.elastic.co/docs/current/integrations/aws#api-requests) for more details.** ## Compatibility +This module is tested against `Amazon Inspector API version 2.0`. - 1. The minimum compatible version of this module is **Elastic Agent 8.4.0**. - 2. This module is tested against `AWS Inspector API version 2.0`. +## Agentless-enabled integration -## To collect data from AWS Inspector API, users must have an Access Key and a Secret Key. To create API token follow below steps: +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +## To collect data from Amazon Inspector API, users must have an Access Key and a Secret Key. To create API token follow below steps: 1. Login to https://console.aws.amazon.com/. 2. Go to https://console.aws.amazon.com/iam/ to access the IAM console. diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 84af2a681a4..7a5420e0040 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "3.12.0" + changes: + - description: | + Mapping changes in `inspector` datastream for Cloud Detection and Response (CDR) vulnerability workflow. + Parse and map newly introduced fields in the `inspector` data stream. + Enable request trace log removal and Agentless deployment in the `inspector` data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/14306 - version: "3.11.0" changes: - description: Fix `tlsVersion` parsing when not properly defined in cloudtrail event. diff --git a/packages/aws/data_stream/inspector/_dev/deploy/docker/files/certificate.crt b/packages/aws/data_stream/inspector/_dev/deploy/docker/files/certificate.crt index e42da5797a6..0e17ef26c9d 100644 --- a/packages/aws/data_stream/inspector/_dev/deploy/docker/files/certificate.crt +++ b/packages/aws/data_stream/inspector/_dev/deploy/docker/files/certificate.crt @@ -1,20 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIDUDCCAjgCCQCsyG2Sw6iMvzANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJY -WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh -bnkgTHRkMSYwJAYDVQQDDB1pbnNwZWN0b3IyLnh4eHguYW1hem9uYXdzLmNvbTAe -Fw0yMjA5MTkxMTE3NDlaFw0yMzA5MTkxMTE3NDlaMGoxCzAJBgNVBAYTAlhYMRUw -EwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBM -dGQxJjAkBgNVBAMMHWluc3BlY3RvcjIueHh4eC5hbWF6b25hd3MuY29tMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs65SHVvohc00blWOWaZqqunMMw9G -nZuhvWMvUdkk2FZE4nmkU0QB1VhewV7Yesfbelhq5OYj6NE2hEl0znSUju8CbQHy -LfXH+Wp6zBe7o1lVNXVcb7PHwCx/nThXsohEHCHYRu8d9APbY7doUW0amFQOSHCD -jbqmr1lcOsZ7C57X4A5iQyESaP3ASzYoTitSbsWQWWETq5Kq7Bl2Vm5Pk8p5fg2u -7cSyY7XtRXxlKW0adAbaOIBe7+JZr5nukUjGWOL139K1Zl/YO/1lxDJvZLwKOffM -zLTX111B0GX9Lmtk/8A0A6yzuL8u5byKEIGCwD/wW30+763y8TgFaWh0nwIDAQAB -MA0GCSqGSIb3DQEBCwUAA4IBAQBY4KpmVFmCneRe0vtlx6FA0Pa2N4oAVgQmNs0r -tySb22AB8c5FBh0KxDYTNRLzVRPOeFxEboDbVVMCIhGHem/EqbxVRiQPP5OJVjqG -VSAhQ9maRxEnPOJ2BxMGm38etP1+TJkbPgIYmZTSswEODYksnqiC6YeoLVMnWDeX -o6y1gqSKdndUHf4FO/RxZfrrXv85GwwpgnNGCjv5o09VxlO1yzXDNlml6KCarWuc -DTMzUkky77XmBVrLVd+YF3jmL9frGB0s6Kud5E691gl9M3hmXJwPnzrEUgUNqrz9 -/eb6vyOPH3qLNpMfE2X12xNJ5cZ5CN7rT37b5Mce4QPNsX2M +MIIC1zCCAb8CFBhBTt6yEnLtREKHvN40F2qLleIdMA0GCSqGSIb3DQEBCwUAMCgx +JjAkBgNVBAMMHWluc3BlY3RvcjIueHh4eC5hbWF6b25hd3MuY29tMB4XDTI1MDYy +NDA5MTQxMloXDTM1MDYyMjA5MTQxMlowKDEmMCQGA1UEAwwdaW5zcGVjdG9yMi54 +eHh4LmFtYXpvbmF3cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQCbq5ChvdjWiM2/tpew4HATwk9KBXB2J4s70DaqxWJwLKzUYEGWXbujk9ONptE9 +7gkaQEGILWB8vjF47499a0WRt6LeC5KYjH5+Z3MoD+0Eixo2j6rh+jyxTBb64QR8 +GUT3oo0cEDOTXFbVF5ooS1Sber2S5Ww5Edm8jKSYuJ8cJxJDghg9Np4sZZ6JBFIq +kftDoLCeCZf4W5u8n9/386g47TzgI7ojGEER3m2TXOPVIA7XooeGisqUiOpTPHWA +0tctkSdjow+JJQ7oUi5NJJKdJ2cPbpA11kv9/9TYIpKZf+jUu8ZxTwAwbTjPLbyo +qFzle0BYcc4j2zOdKuv4OkPXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACC7nvmw ++4cR7DslQ6pGRIHbB23yK7ro3cFWqgcxsYg3ntbAJitgKuROWi/rv2vhOB0SfuHT +9Oc/jcOIilgGni+mfOSTySIYT7B4OeYDjIonYzBsykSWjbt+QtHjJlRwNhZm38ws +fG/nIjC69GCIS3BUqo9dxgnyCdHn+hO3rO8mE58MKVA/iq7uDuFIdLrU+xY1LFUT +yb9ZRr3XMjgNFiC3LWnQDycxecFZo4OJcRETyGuwL+HcOybcO00ZOoGHMcemVjTA +JPlgUImmsN+vezO92i2adepyb75vEbEbILQyz9G1WCg6MA9UWrdT9LtwOxq2+pCt +KsEFaVXtUm4/YSo= -----END CERTIFICATE----- diff --git a/packages/aws/data_stream/inspector/_dev/deploy/docker/files/config.yml b/packages/aws/data_stream/inspector/_dev/deploy/docker/files/config.yml index 1b4de1157ce..a5d73aa0b4a 100644 --- a/packages/aws/data_stream/inspector/_dev/deploy/docker/files/config.yml +++ b/packages/aws/data_stream/inspector/_dev/deploy/docker/files/config.yml @@ -3,5 +3,181 @@ rules: methods: ["POST"] responses: - status_code: 200 - body: | - {"findings":[{"awsAccountId":"123456789","description":"Findins message","findingArn":"arn:aws:s3:::sample","firstObservedAt":"1.663703546405E9","inspectorScore":1.2,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[{"metric":"Base","reason":"use Base metric"}],"cvssSource":"scope1","score":8.9,"scoreSource":"scope2","scoringVector":"Attack Vector","version":"v3.1"}},"lastObservedAt":"1.663703546405E9","networkReachabilityDetails":{"networkPath":{"steps":[{"componentId":"02ce3860-3126-42af-8ac7-c2a661134129","componentType":"type"}]},"openPortRange":{"begin":1234,"end":4567},"protocol":"TCP"},"packageVulnerabilityDetails":{"cvss":[{"baseScore":1.1,"scoringVector":"Attack Vector","source":"scope3","version":"v3.1"}],"referenceUrls":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"],"relatedVulnerabilities":["security"],"source":"example","sourceUrl":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111","vendorCreatedAt":"1.663703546405E9","vendorSeverity":"basic","vendorUpdatedAt":"1.663703546405E9","vulnerabilityId":"123456789","vulnerablePackages":[{"arch":"arch","epoch":123,"filePath":"/example","fixedInVersion":"3","name":"example","packageManager":"BUNDLER","release":"release","sourceLayerHash":"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c","version":"2.0"}]},"remediation":{"recommendation":{"text":"example","Url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:s3:::iam","imageId":"123456789","ipV4Addresses":["89.160.20.128","81.2.69.192"],"ipV6Addresses":["2a02:cf40::"],"keyName":"sample","launchedAt":"1.663703546405E9","platform":"EC2","subnetId":"123456","type":"Instance","vpcId":"3265875"},"awsEcrContainerImage":{"architecture":"arch","author":"example","imageHash":"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d","imageTags":["sample"],"platform":"ECR","pushedAt":"1.663703546405E9","registry":"ecr registry","repositoryName":"sample"}},"id":"12345678","partition":"partition","region":"us-east-1","tags":{"string1":"string1","string2":"string2"},"type":"AWS_EC2_INSTANCE"}],"severity":"INFORMATIONAL","status":"ACTIVE","title":"sample findings","type":"NETWORK_REACHABILITY","updatedAt":"1.663703546405E9"}]} + body: |- + {{ minify_json ` + { + "findings": [ + { + "awsAccountId": "123456789012", + "description": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).", + "epss": { + "score": 0.00024 + }, + "exploitAvailable": "NO", + "findingArn": "arn:aws:inspector2:us-east-2:123456789012:finding/fb6294abcdef0123456789abcdef8123", + "firstObservedAt": 1748539687.919, + "fixAvailable": "YES", + "inspectorScore": 6.5, + "inspectorScoreDetails": { + "adjustedCvss": { + "adjustments": [], + "cvssSource": "NVD", + "score": 6.5, + "scoreSource": "NVD", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "version": "3.1" + } + }, + "lastObservedAt": 1749165796.162, + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 6.5, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "source": "NVD", + "version": "3.1" + }, + { + "baseScore": 6.5, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json" + ], + "relatedVulnerabilities": [], + "source": "NVD", + "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "vendorCreatedAt": 1744827364, + "vendorSeverity": "MEDIUM", + "vendorUpdatedAt": 1747437319, + "vulnerabilityId": "CVE-2025-22872", + "vulnerablePackages": [ + { + "epoch": 0, + "filePath": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixedInVersion": "0.38.0", + "name": "golang.org/x/net", + "packageManager": "GOBINARY", + "version": "v0.1.0" + }, + { + "epoch": 0, + "filePath": "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", + "fixedInVersion": "0.38.0", + "name": "golang.org/x/net", + "packageManager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "filePath": "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", + "fixedInVersion": "0.38.0", + "name": "golang.org/x/net", + "packageManager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "filePath": "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", + "fixedInVersion": "0.38.0", + "name": "golang.org/x/net", + "packageManager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "filePath": "vol-0e47545061282cd35:/p1:usr/bin/kubelet", + "fixedInVersion": "0.38.0", + "name": "golang.org/x/net", + "packageManager": "GOBINARY", + "version": "v0.30.0" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixedInVersion": "0:2.0.5-1.amzn2.0.1", + "name": "nerdctl", + "packageManager": "OS", + "release": "1.amzn2.0.1", + "remediation": "yum update nerdctl", + "version": "2.0.4" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEc2Instance": { + "iamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "imageId": "ami-0e0f0123456789abd", + "ipV4Addresses": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ], + "ipV6Addresses": [], + "launchedAt": 1748534768, + "platform": "AMAZON_LINUX_2", + "subnetId": "subnet-0ababcdefabcdef8b", + "type": "t3.medium", + "vpcId": "vpc-04ab0123456789123" + } + }, + "id": "i-0fabcdefabcdef50b", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2025-22872 - golang.org/x/net, golang.org/x/net and 4 more", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": 1749165796.162 + } + ] + } + `}} diff --git a/packages/aws/data_stream/inspector/_dev/deploy/docker/files/private.key b/packages/aws/data_stream/inspector/_dev/deploy/docker/files/private.key index 2f7d7eb168e..7d949e9c889 100644 --- a/packages/aws/data_stream/inspector/_dev/deploy/docker/files/private.key +++ b/packages/aws/data_stream/inspector/_dev/deploy/docker/files/private.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCzrlIdW+iFzTRu -VY5Zpmqq6cwzD0adm6G9Yy9R2STYVkTieaRTRAHVWF7BXth6x9t6WGrk5iPo0TaE -SXTOdJSO7wJtAfIt9cf5anrMF7ujWVU1dVxvs8fALH+dOFeyiEQcIdhG7x30A9tj -t2hRbRqYVA5IcIONuqavWVw6xnsLntfgDmJDIRJo/cBLNihOK1JuxZBZYROrkqrs -GXZWbk+Tynl+Da7txLJjte1FfGUpbRp0Bto4gF7v4lmvme6RSMZY4vXf0rVmX9g7 -/WXEMm9kvAo598zMtNfXXUHQZf0ua2T/wDQDrLO4vy7lvIoQgYLAP/BbfT7vrfLx -OAVpaHSfAgMBAAECggEBAK1pJhLzqtvHijyaEcJwHC5Laio1Kf/ePiDb4sVpfmfU -CrNQlslNrz9KBFk3wlHtJONVBgVYH3wIvka55iOC3AV+oqa15Bd7R75th4oFtbAW -/WeUltuvdK8Bwz/nKqxBWwqTl3oOOKhSOKBqWCGN3Mb7CLXc8PoOE+TTp3GKMSKq -UJHftHNIcEhb0MqB6sV3KnD6Z00Y/TYIlbPm3LsbSwN7llOGeQAfFaf1iS9M42QT -XCPp3No6kNokt/G/pc3afupbgOLEF3hh1VOtS5ooFq74WrA3O0M7iL4fZFIY2RZY -JsyWEn0foKrwrCl+tdCmeCDjclgun2sk0FYCGR8LL6ECgYEA7fV5+MqwoF40Q0mI -+ccnWYz/hBrmUdWZ+t4Y4s1LKbUkHyG99cR7W/Z5wUXihK/hybTZkZ3TI5TNWx0D -pAMXOKDPLP6Lx3E5VsqREQq8laFF8byWmA3RVprU5j2WfQQudCUjStFxs+bN7zpk -WklPg10uJRjHIaUFc2ECJ3GGV/kCgYEAwU27io7qQjsMWOLO07B6R2rt9mPT+jyX -QD0H9uA++kJy7VWhQr04QBCA6rnnblEwMuNFmPQUJUMVHZDhdkDnEdTzMJL2orjY -tQR0qdosReYDmnNRcHnLuvZZgs2hlPCOoSpHbtRWcydDz9R8tJGdQFnRnOkxyhG+ -Bk6bn3zOx1cCgYEAnHd+FUaJ71kiOmBe7gay7CJXXTEm4wZ18kwZxwBAfRM7xjC0 -rKbeinC+TIS8Vo0kBTKioSpKzCmrAk9Ito7FtRmgQLC7jo/3qQcXbkJGEIlz6Wkd -CKyFStISTbaPfnLCbOKCm06u2iFYpgYaOHfeDb22evQY9BmDRQOzm+X89VkCgYBD -njplPJrrchZenXA2EryjcN8u2jrThRBvkynPDSBakJX9OYAAhYpAtsUx1rgDGflf -Q6sb1v2ZDz86qWyE3i02SqSLME2AHGMJ5zYcGEp2ZQCLrZ0mWCSREQ28uMu1+vQZ -ol18gmB/RZPuBmldDLbSRNkTJ2uYQN6U/Dhp8NGwXwKBgQCbJsAqnGRi0Doogyr9 -sGVGH9yXcOOKHrHQuOLYcUo5X9uO6qy1MGEKUP3BfeLQr2bds4so3d2vbtVa32lH -2zdUhDLShHNNhacSQkPb7HvRXSTN8g4IrK+nvl6WPSISVbi1tqKZZo195K8Q3bhy -3zrW0FlJvp4I4mXZZf+KjUNHYA== +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCbq5ChvdjWiM2/ +tpew4HATwk9KBXB2J4s70DaqxWJwLKzUYEGWXbujk9ONptE97gkaQEGILWB8vjF4 +7499a0WRt6LeC5KYjH5+Z3MoD+0Eixo2j6rh+jyxTBb64QR8GUT3oo0cEDOTXFbV +F5ooS1Sber2S5Ww5Edm8jKSYuJ8cJxJDghg9Np4sZZ6JBFIqkftDoLCeCZf4W5u8 +n9/386g47TzgI7ojGEER3m2TXOPVIA7XooeGisqUiOpTPHWA0tctkSdjow+JJQ7o +Ui5NJJKdJ2cPbpA11kv9/9TYIpKZf+jUu8ZxTwAwbTjPLbyoqFzle0BYcc4j2zOd +Kuv4OkPXAgMBAAECggEAJZGnw6kmMkxs32ZJQKpB0jr0WMhsRk+v1h0ffGJLqgfW +JCEg4xG3DbjI9yg52mjesIOubReKcECUfvvN1PZ1IUBA4bbIR+GsS4Ra8eG6EX0i +s+VDV+tFB4L2DtEMfIi6sMr9pDayw88ms6HRFgVsI2PhaZjN4A4TTuJgfO0dlTTm +T8RPOhIT4ydRaVBawzZsA5NKpU4PX8mMwNSkoCvnruYNTFb/GE1tsozTnOnMiZ1q +xPEWJNAhoiWPbiZDrjz5OHuTVqI31QDJH06aqfWuAx2H9qJL9BfyKJsotMjyR3Cn +5hgbiJx+9/6rvmhclun4H6DSRmO68+aGQ+65P7wySQKBgQC/x/jmQoMpKCCbJL/A +Nq1sm6/domIMD2DuNoIxdzf5tW7cPBiwu0HEvMFC9BsmhN4o1uiacGSiIJVLEe+Q +/vUjVr+VnW28NvD43kCXceCxKWMInruqTxyqVaSHnPx2TK4uDtbdTqyIzDs6GQSX +i22hbaafR+0/hR18WEy+t8iQ+QKBgQDPzA616QmdJz5PtGxBjKyPNNTokKPOA8Bg +ZKl0Dz9BzEbRMHcBCGYd8DAkOZJvCovxBPoyp2swysjPUrBMpUUEGrh8Ds7a1Oqs +lJLU/fpPMbBD3FpzRLFCaZd7nrZZBbVwkOLaYOiKbxYBkz0Pun8CwZCq0i/WA0U4 +I8KmcTp/TwKBgHgzaflH7tU45VbX7acXnhLYcZ3ETRep++LSHz/JrTfBU76NnBwJ +AevBMpA4V1wJIwUNzbQehbRoH6pxj2mdox+HG4U2qrSw6s/Q3UMOiPoBKqUYeB8C +fsDz9K9a4ZFz9ie//UOwL8t91hFP5OTm6sum4iwq9LQ/Rn/NCCzxG7BhAoGAOBLT +oWkaTAsr+Gwyjlm8swRJs9xcJ5rBjgF77LK0mjfaoFaYtnGixM9s3kme51IMQ2TZ +c1PUTB1cpP2mT3iFsD7Zq7h/P3QXQ6zwFoPWyQoai6VpzxMpVkeSNiy0/j7ZIGAo +p09hUQH7CT/HSXhFD+RV+pKvj+vgAO89dpa1d2cCgYBwVgPyFdoxYIZhaz9+8f4H +uWdCvgQDINEQD7FOj2SBcqunHehPrNp8uyby4YtSU31sOYyhOBTb5/1LvT8nt+JQ +w4eK1i9FkzE6wSpWhq2Z24LhyL7KMFbqZl8pf2mUGIEMRXVTbD0Ef5s7TeY3YqHQ +oYjDjXq0ttpfVu2mvOUchQ== -----END PRIVATE KEY----- diff --git a/packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log b/packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log index ee72594464e..8ea5db1a260 100644 --- a/packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log +++ b/packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log @@ -1 +1,17 @@ {"awsAccountId":"123456789","description":"Findins message","findingArn":"arn:aws:s3:::sample","firstObservedAt":"1.663703546405E9","inspectorScore":1.2,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[{"metric":"Base","reason":"use Base metric"}],"cvssSource":"scope1","score":8.9,"scoreSource":"scope2","scoringVector":"Attack Vector","version":"v3.1"}},"lastObservedAt":"1.663703546405E9","networkReachabilityDetails":{"networkPath":{"steps":[{"componentId":"02ce3860-3126-42af-8ac7-c2a661134129","componentType":"type"}]},"openPortRange":{"begin":1234,"end":4567},"protocol":"TCP"},"packageVulnerabilityDetails":{"cvss":[{"baseScore":1.1,"scoringVector":"Attack Vector","source":"scope3","version":"v3.1"}],"referenceUrls":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"],"relatedVulnerabilities":["security"],"source":"example","sourceUrl":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111","vendorCreatedAt":"1.663703546405E9","vendorSeverity":"basic","vendorUpdatedAt":"1.663703546405E9","vulnerabilityId":"123456789","vulnerablePackages":[{"arch":"arch","epoch":123,"filePath":"/example","fixedInVersion":"3","name":"example","packageManager":"BUNDLER","release":"release","sourceLayerHash":"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c","version":"2.0"}]},"remediation":{"recommendation":{"text":"example","Url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:s3:::iam","imageId":"123456789","ipV4Addresses":["89.160.20.128","81.2.69.192"],"ipV6Addresses":["2a02:cf40::"],"keyName":"sample","launchedAt":"1.663703546405E9","platform":"EC2","subnetId":"123456","type":"Instance","vpcId":"3265875"},"awsEcrContainerImage":{"architecture":"arch","author":"example","imageHash":"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d","imageTags":["sample"],"platform":"ECR","pushedAt":"1.663703546405E9","registry":"ecr registry","repositoryName":"sample"}},"id":"12345678","partition":"partition","region":"us-east-1","tags":{"string1":"string1","string2":"string2"},"type":"AWS_EC2_INSTANCE"}],"severity":"INFORMATIONAL","status":"ACTIVE","title":"sample findings","type":"NETWORK_REACHABILITY","updatedAt":"1.663703546405E9"} +{"awsAccountId":"123456789012","description":"Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.","epss":{"score":0.00018},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123451256789:finding/fb6294abcdef0123456789abcdef8404","firstObservedAt":1748629505.465,"fixAvailable":"YES","inspectorScore":6.5,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"AMAZON_CVE","score":6.5,"scoreSource":"AMAZON_CVE","scoringVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N","version":"3.1"}},"lastObservedAt":1749165997.322,"packageVulnerabilityDetails":{"cvss":[{"baseScore":6.5,"scoringVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N","source":"AMAZON_CVE","version":"3.1"},{"baseScore":5.6,"scoringVector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N","source":"NVD","version":"3.1"}],"referenceUrls":["https://alas.aws.amazon.com/AL2/ALAS-2025-2868.html","https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2024-017.html","https://alas.aws.amazon.com/AL2/ALAS-2024-2715.html","https://alas.aws.amazon.com/AL2023/ALAS-2024-781.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-957.html","https://alas.aws.amazon.com/AL2023/ALAS-2024-780.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2024-35195.json","https://alas.aws.amazon.com/AL2/ALAS-2025-2846.html","https://alas.aws.amazon.com/AL2023/ALAS-2024-732.html","https://alas.aws.amazon.com/AL2/ALAS-2024-2654.html","https://alas.aws.amazon.com/AL2023/ALAS-2024-782.html"],"relatedVulnerabilities":["ALAS2023-2025-957","ALAS2023-2024-780","ALAS2-2024-2654","ALAS2-2025-2868","ALAS2-2025-2846","ALAS2-2024-2715","ALAS2023-2024-781","ALAS2023-2024-782","ALAS2023-2024-732"],"source":"AMAZON_CVE","sourceUrl":"https://alas.aws.amazon.com/cve/json/v1/CVE-2024-35195.json","vendorCreatedAt":1716163200,"vendorSeverity":"Medium","vendorUpdatedAt":1734652800,"vulnerabilityId":"CVE-2024-35195","vulnerablePackages":[{"arch":"NOARCH","epoch":0,"fixedInVersion":"0:2.6.0-10.amzn2.0.6","name":"python-requests","packageManager":"OS","release":"10.amzn2.0.5","remediation":"yum update python-requests","version":"2.6.0"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.87","10.90.0.60","10.90.0.30","10.90.0.74","10.90.0.206","10.90.0.207","10.90.0.37","10.90.0.149","10.90.0.235","175.16.199.1","10.90.0.225","10.90.0.212","10.90.0.199","10.90.0.240","10.90.0.164","10.90.0.160","10.90.0.182","10.90.0.70","10.90.0.180"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-059abcdefabcdef1b","partition":"aws","region":"us-east-2","tags":{"aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"MEDIUM","status":"ACTIVE","title":"CVE-2024-35195 - python-requests","type":"PACKAGE_VULNERABILITY","updatedAt":1749165997.322} +{"awsAccountId":"123456789012","description":"The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).","epss":{"score":0.00024},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123456789012:finding/fb6294abcdef0123456789abcdef8123","firstObservedAt":1748539687.919,"fixAvailable":"YES","inspectorScore":6.5,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"NVD","score":6.5,"scoreSource":"NVD","scoringVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L","version":"3.1"}},"lastObservedAt":1749165796.162,"packageVulnerabilityDetails":{"cvss":[{"baseScore":6.5,"scoringVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L","source":"NVD","version":"3.1"},{"baseScore":6.5,"scoringVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L","source":"NVD","version":"3.1"}],"referenceUrls":["https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA","https://nvd.nist.gov/vuln/detail/CVE-2025-22872","https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html","https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html","https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json","https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json"],"relatedVulnerabilities":[],"source":"NVD","sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-22872","vendorCreatedAt":1744827364,"vendorSeverity":"MEDIUM","vendorUpdatedAt":1747437319,"vulnerabilityId":"CVE-2025-22872","vulnerablePackages":[{"epoch":0,"filePath":"vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni","fixedInVersion":"0.38.0","name":"golang.org/x/net","packageManager":"GOBINARY","version":"v0.1.0"},{"epoch":0,"filePath":"vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider","fixedInVersion":"0.38.0","name":"golang.org/x/net","packageManager":"GOBINARY","version":"v0.30.0"},{"epoch":0,"filePath":"vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp","fixedInVersion":"0.38.0","name":"golang.org/x/net","packageManager":"GOBINARY","version":"v0.30.0"},{"epoch":0,"filePath":"vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator","fixedInVersion":"0.38.0","name":"golang.org/x/net","packageManager":"GOBINARY","version":"v0.30.0"},{"epoch":0,"filePath":"vol-0e47545061282cd35:/p1:usr/bin/kubelet","fixedInVersion":"0.38.0","name":"golang.org/x/net","packageManager":"GOBINARY","version":"v0.30.0"},{"arch":"X86_64","epoch":0,"fixedInVersion":"0:2.0.5-1.amzn2.0.1","name":"nerdctl","packageManager":"OS","release":"1.amzn2.0.1","remediation":"yum update nerdctl","version":"2.0.4"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.1.245","10.90.1.45","10.90.1.168","10.90.1.157","1.128.0.1","10.90.1.103","10.90.1.197","10.90.1.220","10.90.1.86","10.90.1.29","10.90.1.18","10.90.1.181","10.90.1.161","10.90.1.229","10.90.1.108","10.90.1.219","10.90.1.9","10.90.1.106","10.90.1.206"],"ipV6Addresses":[],"launchedAt":1748534768,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef8b","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-0fabcdefabcdef50b","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"MEDIUM","status":"ACTIVE","title":"CVE-2025-22872 - golang.org/x/net, golang.org/x/net and 4 more","type":"PACKAGE_VULNERABILITY","updatedAt":1749165796.162} +{"awsAccountId":"123456789012","description":"The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.","epss":{"score":0.94407},"exploitAvailable":"YES","exploitabilityDetails":{"lastKnownExploitAt":1748909367},"findingArn":"arn:aws:inspector2:us-east-2:123456789012:finding/7c6abcdef0123456789abcdef869e9be","firstObservedAt":1748539687.919,"fixAvailable":"YES","inspectorScore":7.5,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"NVD","score":7.5,"scoreSource":"NVD","scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"lastObservedAt":1749079491.767,"packageVulnerabilityDetails":{"cvss":[{"baseScore":7.5,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","source":"NVD","version":"3.1"}],"referenceUrls":[],"relatedVulnerabilities":[],"source":"NVD","sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2023-44487","vendorCreatedAt":1696947310,"vendorSeverity":"HIGH","vendorUpdatedAt":1744419601,"vulnerabilityId":"CVE-2023-44487","vulnerablePackages":[{"epoch":0,"filePath":"vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni","fixedInVersion":"0.17.0","name":"golang.org/x/net","packageManager":"GOBINARY","version":"v0.1.0"},{"epoch":0,"filePath":"vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni","fixedInVersion":"1.58.3","name":"google.golang.org/grpc","packageManager":"GOBINARY","version":"v1.31.0"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.1.245","10.90.1.45","10.90.1.168","10.90.1.157","1.128.0.1","10.90.1.103","10.90.1.197","10.90.1.220","10.90.1.86","10.90.1.29","10.90.1.18","10.90.1.181","10.90.1.161","10.90.1.229","10.90.1.108","10.90.1.219","10.90.1.9","10.90.1.106","10.90.1.206"],"ipV6Addresses":[],"launchedAt":1748534768,"platform":"AMAZON_LINUX_2","subnetId":"subnet-08aabcdefabcdefab","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-0fabcdefabcdef50b","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"HIGH","status":"ACTIVE","title":"CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc","type":"PACKAGE_VULNERABILITY","updatedAt":1749079491.767} +{"awsAccountId":"123456789012","description":"An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.","epss":{"score":0.66635},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123456789012:finding/4038abcdef0123456789abcdef89a264","firstObservedAt":1748539666.436,"fixAvailable":"YES","inspectorScore":7.5,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"NVD","score":7.5,"scoreSource":"NVD","scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"lastObservedAt":1749165997.322,"packageVulnerabilityDetails":{"cvss":[{"baseScore":7.5,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","source":"NVD","version":"3.1"}],"referenceUrls":["https://nvd.nist.gov/vuln/detail/CVE-2023-45288","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/","https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"],"relatedVulnerabilities":[],"source":"NVD","sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2023-45288","vendorCreatedAt":1712265316,"vendorSeverity":"HIGH","vendorUpdatedAt":1732177602,"vulnerabilityId":"CVE-2023-45288","vulnerablePackages":[{"epoch":0,"filePath":"vol-00a0d78ffdf6dd3fd:/p1:opt/cni/bin/aws-cni","fixedInVersion":"0.23.0","name":"golang.org/x/net","packageManager":"GOBINARY","version":"v0.1.0"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.87","10.90.0.60","10.90.0.30","10.90.0.74","10.90.0.206","10.90.0.207","10.90.0.37","10.90.0.149","10.90.0.235","1.128.0.2","10.90.0.225","10.90.0.212","10.90.0.199","10.90.0.240","10.90.0.164","10.90.0.160","10.90.0.182","10.90.0.70","10.90.0.180"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-059abcdefabcdef1b","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"HIGH","status":"ACTIVE","title":"CVE-2023-45288 - golang.org/x/net","type":"PACKAGE_VULNERABILITY","updatedAt":1749165997.322} +{"awsAccountId":"123456789012","description":"The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling.","epss":{"score":0.00018},"exploitAvailable":"YES","exploitabilityDetails":{"lastKnownExploitAt":1749086167},"findingArn":"arn:aws:inspector2:us-east-2:123456789012:finding/e3c4abcdef0123456789abcdefc5174a","firstObservedAt":1748629505.465,"fixAvailable":"YES","inspectorScore":7.5,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"AMAZON_CVE","score":7.5,"scoreSource":"AMAZON_CVE","scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}},"lastObservedAt":1749165997.322,"packageVulnerabilityDetails":{"cvss":[{"baseScore":7.5,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","source":"AMAZON_CVE","version":"3.1"},{"baseScore":9.1,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","source":"NVD","version":"3.1"}],"referenceUrls":["https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html","https://alas.aws.amazon.com/AL2/ALASECS-2025-055.html","https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-061.html","https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html","https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-054.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-945.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html","https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html","https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-058.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-933.html","https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-065.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-978.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2870.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2825.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22871.json","https://alas.aws.amazon.com/AL2023/ALAS-2025-968.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2851.html"],"relatedVulnerabilities":["ALAS2023-2025-968","ALAS2023-2025-979","ALAS2NITRO-ENCLAVES-2025-054","ALAS2NITRO-ENCLAVES-2025-061","ALAS2-2025-2825","ALAS2023-2025-980","ALAS2023-2025-981","ALAS2-2025-2863","ALAS2DOCKER-2025-063","ALAS2-2025-2851","ALAS2DOCKER-2025-064","ALAS2DOCKER-2025-065","ALAS2-2025-2870","ALAS2023-2025-933","ALAS2DOCKER-2025-058","ALAS2023-2025-978","ALAS2023-2025-945"],"source":"AMAZON_CVE","sourceUrl":"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22871.json","vendorCreatedAt":1744070400,"vendorSeverity":"Important","vendorUpdatedAt":1744070400,"vulnerabilityId":"CVE-2025-22871","vulnerablePackages":[{"arch":"X86_64","epoch":0,"fixedInVersion":"0:1.32.0-1.amzn2.0.1","name":"cri-tools","packageManager":"OS","release":"1.amzn2.0.2","remediation":"yum update cri-tools","version":"1.29.0"},{"arch":"X86_64","epoch":0,"fixedInVersion":"0:2.0.5-1.amzn2.0.1","name":"nerdctl","packageManager":"OS","release":"1.amzn2.0.1","remediation":"yum update nerdctl","version":"2.0.4"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.87","10.90.0.60","10.90.0.30","10.90.0.74","10.90.0.206","10.90.0.207","10.90.0.37","10.90.0.149","10.90.0.235","1.128.0.2","10.90.0.225","10.90.0.212","10.90.0.199","10.90.0.240","10.90.0.164","10.90.0.160","10.90.0.182","10.90.0.70","10.90.0.180"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-059abcdefabcdef1b","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"HIGH","status":"ACTIVE","title":"CVE-2025-22871 - cri-tools, nerdctl","type":"PACKAGE_VULNERABILITY","updatedAt":1749165997.322} +{"awsAccountId":"123456789012","description":"A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrent","epss":{"score":0.0015},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123456789012:finding/5303abcdef0123456789abcdef4a68be","firstObservedAt":1748539666.436,"fixAvailable":"YES","inspectorScore":7.5,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"NVD","score":7.5,"scoreSource":"NVD","scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"lastObservedAt":1749165997.322,"packageVulnerabilityDetails":{"cvss":[{"baseScore":7.5,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","source":"NVD","version":"3.1"}],"referenceUrls":[],"relatedVulnerabilities":[],"source":"NVD","sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2023-39325","vendorCreatedAt":1697062509,"vendorSeverity":"HIGH","vendorUpdatedAt":1732176909,"vulnerabilityId":"CVE-2023-39325","vulnerablePackages":[{"epoch":0,"filePath":"vol-00a0d78ffdf6dd3fd:/p1:opt/cni/bin/aws-cni","fixedInVersion":"0.17.0","name":"golang.org/x/net","packageManager":"GOBINARY","version":"v0.1.0"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.87","10.90.0.60","10.90.0.30","10.90.0.74","10.90.0.206","10.90.0.207","10.90.0.37","10.90.0.149","10.90.0.235","1.128.0.3","10.90.0.225","10.90.0.212","10.90.0.199","10.90.0.240","10.90.0.164","10.90.0.160","10.90.0.182","10.90.0.70","10.90.0.180"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-059abcdefabcdef1b","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"HIGH","status":"ACTIVE","title":"CVE-2023-39325 - golang.org/x/net","type":"PACKAGE_VULNERABILITY","updatedAt":1749165997.322} +{"awsAccountId":"123451234512","description":"In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.","epss":{"score":0.00024},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123451234512:finding/df63abcdef0123456789abcdefaeed1e","firstObservedAt":1749795895.486,"fixAvailable":"YES","inspectorScore":4.3,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"AMAZON_CVE","score":4.3,"scoreSource":"AMAZON_CVE","scoringVector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N","version":"3.1"}},"lastObservedAt":1749795895.486,"packageVulnerabilityDetails":{"cvss":[{"baseScore":4.3,"scoringVector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N","source":"AMAZON_CVE","version":"3.1"},{"baseScore":3.8,"scoringVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N","source":"NVD","version":"3.1"}],"referenceUrls":["https://alas.aws.amazon.com/AL2/ALAS-2025-2881.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32728.json"],"relatedVulnerabilities":["ALAS2-2025-2881"],"source":"AMAZON_CVE","sourceUrl":"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32728.json","vendorCreatedAt":1744243200,"vendorSeverity":"Medium","vendorUpdatedAt":1744329600,"vulnerabilityId":"CVE-2025-32728","vulnerablePackages":[{"arch":"X86_64","epoch":0,"fixedInVersion":"0:7.4p1-22.amzn2.0.10","name":"openssh","packageManager":"OS","release":"22.amzn2.0.9","remediation":"yum update openssh","version":"7.4p1"},{"arch":"X86_64","epoch":0,"fixedInVersion":"0:7.4p1-22.amzn2.0.10","name":"openssh-clients","packageManager":"OS","release":"22.amzn2.0.9","remediation":"yum update openssh-clients","version":"7.4p1"},{"arch":"X86_64","epoch":0,"fixedInVersion":"0:7.4p1-22.amzn2.0.10","name":"openssh-server","packageManager":"OS","release":"22.amzn2.0.9","remediation":"yum update openssh-server","version":"7.4p1"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123451234512:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.42","10.90.0.88","175.16.199.2","10.90.0.57","10.90.0.14","10.90.0.204","10.90.0.59","10.90.0.38","10.90.0.249","10.90.0.147","10.90.0.224","10.90.0.203","10.90.0.253","10.90.0.231","10.90.0.130","10.90.0.186","10.90.0.197","10.90.0.194","10.90.0.170"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-020babcdefabcdefd","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"MEDIUM","status":"ACTIVE","title":"CVE-2025-32728 - openssh, openssh-clients and 1 more","type":"PACKAGE_VULNERABILITY","updatedAt":1749795895.486} +{"awsAccountId":"123451234512","description":"setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.","epss":{"score":0.00435},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123451234512:finding/b677cabcdef0123456789abcdef72108","firstObservedAt":1749795895.486,"fixAvailable":"YES","inspectorScore":7.5,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"AMAZON_CVE","score":7.5,"scoreSource":"AMAZON_CVE","scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}},"lastObservedAt":1749795895.486,"packageVulnerabilityDetails":{"cvss":[{"baseScore":7.5,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","source":"AMAZON_CVE","version":"3.1"},{"baseScore":8.8,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","source":"NVD","version":"3.1"}],"referenceUrls":["https://alas.aws.amazon.com/AL2023/ALAS-2025-1005.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2877.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-1003.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json","https://alas.aws.amazon.com/AL2023/ALAS-2025-1004.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2876.html"],"relatedVulnerabilities":["ALAS2-2025-2877","ALAS2-2025-2876","ALAS2023-2025-1004","ALAS2023-2025-1005","ALAS2023-2025-1003"],"source":"AMAZON_CVE","sourceUrl":"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json","vendorCreatedAt":1747440000,"vendorSeverity":"Important","vendorUpdatedAt":1748822400,"vulnerabilityId":"CVE-2025-47273","vulnerablePackages":[{"arch":"NOARCH","epoch":0,"fixedInVersion":"0:41.2.0-4.amzn2.0.6","name":"python2-setuptools","packageManager":"OS","release":"4.amzn2.0.5","remediation":"yum update python2-setuptools","version":"41.2.0"},{"arch":"NOARCH","epoch":0,"fixedInVersion":"0:49.1.3-1.amzn2.0.6","name":"python3-setuptools","packageManager":"OS","release":"1.amzn2.0.5","remediation":"yum update python3-setuptools","version":"49.1.3"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123451234512:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.42","10.90.0.88","175.16.199.2","10.90.0.57","10.90.0.14","10.90.0.204","10.90.0.59","10.90.0.38","10.90.0.249","10.90.0.147","10.90.0.224","10.90.0.203","10.90.0.253","10.90.0.231","10.90.0.130","10.90.0.186","10.90.0.197","10.90.0.194","10.90.0.170"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-020babcdefabcdefd","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"HIGH","status":"ACTIVE","title":"CVE-2025-47273 - python2-setuptools, python3-setuptools","type":"PACKAGE_VULNERABILITY","updatedAt":1749795895.486} +{"awsAccountId":"123451234512","description":"When an input DER data contains a large number of SEQUENCE OF or SET OF elements, decoding the data and searching a specific element in it take quadratic time to complete. This could be utilized for a remote DoS attack by presenting a crafted certificate to the network peer.","epss":{"score":0.00103},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123451234512:finding/6fabcdef0123456789abcdef5e93504a","firstObservedAt":1749795895.486,"fixAvailable":"YES","inspectorScore":5.3,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"AMAZON_CVE","score":5.3,"scoreSource":"AMAZON_CVE","scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"}},"lastObservedAt":1749795895.486,"packageVulnerabilityDetails":{"cvss":[{"baseScore":5.3,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","source":"AMAZON_CVE","version":"3.1"},{"baseScore":5.3,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","source":"NVD","version":"3.1"}],"referenceUrls":["https://alas.aws.amazon.com/AL2023/ALAS-2025-989.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2886.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2024-12133.json"],"relatedVulnerabilities":["ALAS2-2025-2886","ALAS2023-2025-989"],"source":"AMAZON_CVE","sourceUrl":"https://alas.aws.amazon.com/cve/json/v1/CVE-2024-12133.json","vendorCreatedAt":1738972800,"vendorSeverity":"Medium","vendorUpdatedAt":1746748800,"vulnerabilityId":"CVE-2024-12133","vulnerablePackages":[{"arch":"X86_64","epoch":0,"fixedInVersion":"0:4.10-1.amzn2.0.7","name":"libtasn1","packageManager":"OS","release":"1.amzn2.0.6","remediation":"yum update libtasn1","version":"4.10"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123451234512:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.42","10.90.0.88","175.16.199.3","10.90.0.57","10.90.0.14","10.90.0.204","10.90.0.59","10.90.0.38","10.90.0.249","10.90.0.147","10.90.0.224","10.90.0.203","10.90.0.253","10.90.0.231","10.90.0.130","10.90.0.186","10.90.0.197","10.90.0.194","10.90.0.170"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-020babcdefabcdefd","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"MEDIUM","status":"ACTIVE","title":"CVE-2024-12133 - libtasn1","type":"PACKAGE_VULNERABILITY","updatedAt":1749795895.486} +{"awsAccountId":"123451256789","description":"Thread creation while a directory handle is open does a fchdir, affecting other threads (race condition)","epss":{"score":0.00015},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123451256789:finding/5f7abcdef0123456789abcdef1e80328","firstObservedAt":1749795895.486,"fixAvailable":"YES","inspectorScore":7,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"AMAZON_CVE","score":7,"scoreSource":"AMAZON_CVE","scoringVector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"lastObservedAt":1749795895.486,"packageVulnerabilityDetails":{"cvss":[{"baseScore":7,"scoringVector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","source":"AMAZON_CVE","version":"3.1"},{"baseScore":5.9,"scoringVector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","source":"NVD","version":"3.1"}],"referenceUrls":["https://alas.aws.amazon.com/cve/json/v1/CVE-2025-40909.json","https://alas.aws.amazon.com/AL2023/ALAS-2025-1007.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2879.html","https://alas.aws.amazon.com/ALAS-2025-1981.html"],"relatedVulnerabilities":["ALAS-2025-1981","ALAS2023-2025-1007","ALAS2-2025-2879"],"source":"AMAZON_CVE","sourceUrl":"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-40909.json","vendorCreatedAt":1748390400,"vendorSeverity":"Important","vendorUpdatedAt":1748390400,"vulnerabilityId":"CVE-2025-40909","vulnerablePackages":[{"arch":"X86_64","epoch":4,"fixedInVersion":"4:5.16.3-299.amzn2.0.3","name":"perl","packageManager":"OS","release":"299.amzn2.0.2","remediation":"yum update perl","version":"5.16.3"},{"arch":"NOARCH","epoch":1,"fixedInVersion":"1:1.04-299.amzn2.0.3","name":"perl-Pod-Escapes","packageManager":"OS","release":"299.amzn2.0.2","remediation":"yum update perl-Pod-Escapes","version":"1.04"},{"arch":"X86_64","epoch":4,"fixedInVersion":"4:5.16.3-299.amzn2.0.3","name":"perl-libs","packageManager":"OS","release":"299.amzn2.0.2","remediation":"yum update perl-libs","version":"5.16.3"},{"arch":"X86_64","epoch":4,"fixedInVersion":"4:5.16.3-299.amzn2.0.3","name":"perl-macros","packageManager":"OS","release":"299.amzn2.0.2","remediation":"yum update perl-macros","version":"5.16.3"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.42","10.90.0.88","175.16.199.3","10.90.0.57","10.90.0.14","10.90.0.204","10.90.0.59","10.90.0.38","10.90.0.249","10.90.0.147","10.90.0.224","10.90.0.203","10.90.0.253","10.90.0.231","10.90.0.130","10.90.0.186","10.90.0.197","10.90.0.194","10.90.0.170"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-020babcdefabcdefd","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"HIGH","status":"ACTIVE","title":"CVE-2025-40909 - perl, perl-Pod-Escapes and 2 more","type":"PACKAGE_VULNERABILITY","updatedAt":1749795895.486} +{"awsAccountId":"123451256789","description":"SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.","epss":{"score":0.00051},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123451256789:finding/5329abcdef0123456789abcdef21a4b8","firstObservedAt":1748539658.967,"fixAvailable":"YES","inspectorScore":7.5,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"NVD","score":7.5,"scoreSource":"NVD","scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"lastObservedAt":1749795895.486,"packageVulnerabilityDetails":{"cvss":[{"baseScore":7.5,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","source":"NVD","version":"3.1"},{"baseScore":7.5,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","source":"NVD","version":"3.1"}],"referenceUrls":["https://nvd.nist.gov/vuln/detail/CVE-2025-22869","https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-053.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2883.html","https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-053.html","https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-056.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22869.json","https://alas.aws.amazon.com/AL2/ALASECS-2025-054.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-934.html","https://alas.aws.amazon.com/ALAS-2025-1982.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-1013.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-914.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22869.json"],"relatedVulnerabilities":[],"source":"NVD","sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-22869","vendorCreatedAt":1740557664,"vendorSeverity":"HIGH","vendorUpdatedAt":1746127700,"vulnerabilityId":"CVE-2025-22869","vulnerablePackages":[{"arch":"X86_64","epoch":0,"fixedInVersion":"0:3.3.2299.0-1.amzn2","name":"amazon-ssm-agent","packageManager":"OS","release":"1.amzn2","remediation":"yum update amazon-ssm-agent","version":"3.3.1957.0"},{"epoch":0,"filePath":"vol-0718e90f4c9530260:/p1:usr/bin/kubelet","fixedInVersion":"0.35.0","name":"golang.org/x/crypto","packageManager":"GOBINARY","version":"v0.28.0"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.42","10.90.0.88","175.16.199.1","10.90.0.57","10.90.0.14","10.90.0.204","10.90.0.59","10.90.0.38","10.90.0.249","10.90.0.147","10.90.0.224","10.90.0.203","10.90.0.253","10.90.0.231","10.90.0.130","10.90.0.186","10.90.0.197","10.90.0.194","10.90.0.170"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-020babcdefabcdefd","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"HIGH","status":"ACTIVE","title":"CVE-2025-22869 - amazon-ssm-agent, golang.org/x/crypto","type":"PACKAGE_VULNERABILITY","updatedAt":1749795895.486} +{"awsAccountId":"123451256789","description":"In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.","epss":{"score":0.00023},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123451256789:finding/52dcbabcdef0123456789abcdefd2b65","firstObservedAt":1748629534.399,"fixAvailable":"YES","inspectorScore":2.9,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"AMAZON_CVE","score":2.9,"scoreSource":"AMAZON_CVE","scoringVector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"}},"lastObservedAt":1749795895.486,"packageVulnerabilityDetails":{"cvss":[{"baseScore":2.9,"scoringVector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","source":"AMAZON_CVE","version":"3.1"},{"baseScore":7.5,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","source":"NVD","version":"3.1"}],"referenceUrls":["https://alas.aws.amazon.com/AL2023/ALAS-2025-963.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2860.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32415.json"],"relatedVulnerabilities":["ALAS2023-2025-963","ALAS2-2025-2860"],"source":"AMAZON_CVE","sourceUrl":"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32415.json","vendorCreatedAt":1744848000,"vendorSeverity":"Low","vendorUpdatedAt":1745452800,"vulnerabilityId":"CVE-2025-32415","vulnerablePackages":[{"arch":"X86_64","epoch":0,"fixedInVersion":"0:2.9.1-6.amzn2.5.17","name":"libxml2","packageManager":"OS","release":"6.amzn2.5.16","remediation":"yum update libxml2","version":"2.9.1"},{"arch":"X86_64","epoch":0,"fixedInVersion":"0:2.9.1-6.amzn2.5.17","name":"libxml2-python","packageManager":"OS","release":"6.amzn2.5.16","remediation":"yum update libxml2-python","version":"2.9.1"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.42","10.90.0.88","175.16.199.6","10.90.0.57","10.90.0.14","10.90.0.204","10.90.0.59","10.90.0.38","10.90.0.249","10.90.0.147","10.90.0.224","10.90.0.203","10.90.0.253","10.90.0.231","10.90.0.130","10.90.0.186","10.90.0.197","10.90.0.194","10.90.0.170"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-020babcdefabcdefd","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"LOW","status":"ACTIVE","title":"CVE-2025-32415 - libxml2, libxml2-python","type":"PACKAGE_VULNERABILITY","updatedAt":1749795895.486} +{"awsAccountId":"123451256789","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap","epss":{"score":0.00021},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-2:123451256789:finding/64eabcdef0123456789abcdefb1234bb","firstObservedAt":1748629505.465,"fixAvailable":"YES","inspectorScore":7.8,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"AMAZON_CVE","score":7.8,"scoreSource":"AMAZON_CVE","scoringVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"lastObservedAt":1749525885.775,"packageVulnerabilityDetails":{"cvss":[{"baseScore":7.8,"scoringVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","source":"AMAZON_CVE","version":"3.1"},{"baseScore":7.8,"scoringVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","source":"NVD","version":"3.1"}],"referenceUrls":["https://alas.aws.amazon.com/cve/json/v1/CVE-2022-49063.json","https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2025-094.html"],"relatedVulnerabilities":["ALAS2KERNEL-5.10-2025-094"],"source":"AMAZON_CVE","sourceUrl":"https://alas.aws.amazon.com/cve/json/v1/CVE-2022-49063.json","vendorCreatedAt":1740528000,"vendorSeverity":"Important","vendorUpdatedAt":1742256000,"vulnerabilityId":"CVE-2022-49063","vulnerablePackages":[{"arch":"X86_64","epoch":0,"fixedInVersion":"0:5.10.237-230.949.amzn2","name":"kernel","packageManager":"OS","release":"228.935.amzn2","remediation":"yum update kernel","version":"5.10.236"},{"arch":"X86_64","epoch":0,"fixedInVersion":"0:5.10.237-230.949.amzn2","name":"kernel-devel","packageManager":"OS","release":"228.935.amzn2","remediation":"yum update kernel-devel","version":"5.10.236"},{"arch":"X86_64","epoch":0,"fixedInVersion":"0:5.10.237-230.949.amzn2","name":"kernel-headers","packageManager":"OS","release":"228.935.amzn2","remediation":"yum update kernel-headers","version":"5.10.236"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.87","10.90.0.60","10.90.0.30","10.90.0.74","10.90.0.206","10.90.0.207","10.90.0.37","10.90.0.149","10.90.0.235","1.128.0.3","10.90.0.225","10.90.0.212","10.90.0.199","10.90.0.240","10.90.0.164","10.90.0.160","10.90.0.182","10.90.0.70","10.90.0.180"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-059abcdefabcdef1b","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"HIGH","status":"ACTIVE","title":"CVE-2022-49063 - kernel, kernel-devel and 1 more","type":"PACKAGE_VULNERABILITY","updatedAt":1749525885.775} +{"awsAccountId":"123451256789","description":"On the instance i-059abcdefabcdef1b, the port range 31699-31699 is reachable from the InternetGateway igw-0e7abcdefabcdef3e from an attached ENI eni-03fabcdefabcdef8f.","findingArn":"arn:aws:inspector2:us-east-2:123451256789:finding/6cde74bdabcdef0123456789abcdef05","firstObservedAt":1748560596.648,"lastObservedAt":1748560596.648,"networkReachabilityDetails":{"networkPath":{"steps":[{"componentArn":"arn:aws:ec2:us-east-2:123451256789:internet-gateway/igw-0e7abcdefabcdef3e","componentId":"igw-0e7abcdefabcdef3e","componentType":"AWS::EC2::InternetGateway"},{"componentArn":"arn:aws:ec2:us-east-2:123451256789:network-acl/acl-0d9abcdefabcd0b","componentId":"acl-0d9abcdefabcd0b","componentType":"AWS::EC2::NetworkAcl"},{"componentArn":"arn:aws:ec2:us-east-2:123451256789:security-group/sg-0ef5abcdefabcdef6","componentId":"sg-0ef5abcdefabcdef6","componentType":"AWS::EC2::SecurityGroup"},{"componentArn":"arn:aws:ec2:us-east-2:123451256789:network-interface/eni-03fabcdefabcdef8f","componentId":"eni-03fabcdefabcdef8f","componentType":"AWS::EC2::NetworkInterface"},{"componentArn":"arn:aws:ec2:us-east-2:123451256789:instance/i-059abcdefabcdef1b","componentId":"i-059abcdefabcdef1b","componentType":"AWS::EC2::Instance"}]},"openPortRange":{"begin":31699,"end":31699},"protocol":"TCP"},"remediation":{"recommendation":{"text":"You can restrict access to your instance by modifying the Security Groups or ACLs in the network path."}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012","imageId":"ami-0e0f0123456789abd","ipV4Addresses":["10.90.0.87","10.90.0.60","10.90.0.30","10.90.0.74","10.90.0.206","10.90.0.207","10.90.0.37","10.90.0.149","10.90.0.235","1.128.0.5","10.90.0.225","10.90.0.212","10.90.0.199","10.90.0.240","10.90.0.164","10.90.0.160","10.90.0.182","10.90.0.70","10.90.0.180"],"ipV6Addresses":[],"launchedAt":1748534680,"platform":"AMAZON_LINUX_2","subnetId":"subnet-0ababcdefabcdef11","type":"t3.medium","vpcId":"vpc-04ab0123456789123"}},"id":"i-059abcdefabcdef1b","partition":"aws","region":"us-east-2","tags":{"aws:autoscaling:groupName":"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896","aws:ec2launchtemplate:version":"6","aws:eks:cluster-name":"sei_demo_prod","eks:cluster-name":"sei_demo_prod","eks:nodegroup-name":"sei_demo_prod_linux","k8s.io/cluster-autoscaler/enabled":"true","k8s.io/cluster-autoscaler/sei_demo_prod":"owned","kubernetes.io/cluster/sei_demo_prod":"owned"},"type":"AWS_EC2_INSTANCE"}],"severity":"INFORMATIONAL","status":"ACTIVE","title":"Port 31699 is reachable from an Internet Gateway - TCP","type":"NETWORK_REACHABILITY","updatedAt":1748560596.648} +{"awsAccountId":"701234567890","description":"go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.","epss":{"score":0.00112},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:eu-west-1:701234567890:finding/2abcdefabcdefabcdef01234567896cb","firstObservedAt":1749094163.084,"fixAvailable":"YES","inspectorScore":9.8,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"NVD","score":9.8,"scoreSource":"NVD","scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"lastObservedAt":1750246253.082,"packageVulnerabilityDetails":{"cvss":[{"baseScore":9.8,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","source":"NVD","version":"3.1"}],"referenceUrls":["https://nvd.nist.gov/vuln/detail/CVE-2025-21613"],"relatedVulnerabilities":[],"source":"NVD","sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-21613","vendorCreatedAt":1736183747,"vendorSeverity":"CRITICAL","vendorUpdatedAt":1744857237,"vulnerabilityId":"CVE-2025-21613","vulnerablePackages":[{"epoch":0,"filePath":"vol-052abcdefabcdef9f:/p1:home/ubuntu/elastic-agent-8.17.3-linux-x86_64/data/elastic-agent-0efe49/components/cloudbeat","fixedInVersion":"5.13.0","name":"github.com/go-git/go-git/v5","packageManager":"GOBINARY","version":"v5.12.0"},{"epoch":0,"filePath":"vol-abcdef0123456789f:/p1:opt/Elastic/Agent/data/elastic-agent-8.17.3-0efe49/components/cloudbeat","fixedInVersion":"5.13.0","name":"github.com/go-git/go-git/v5","packageManager":"GOBINARY","version":"v5.12.0"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEc2Instance":{"imageId":"ami-0abcd0123456789d1","ipV4Addresses":["1.128.0.1","175.16.199.2"],"ipV6Addresses":[],"keyName":"1234-abcd-test","launchedAt":1741357592,"platform":"UBUNTU_24_04","subnetId":"subnet-babcdefd","type":"c5.4xlarge","vpcId":"vpc-abcdef01"}},"id":"i-abcdef0123456789d","partition":"aws","region":"eu-west-1","tags":{"Name":"long-running-env-logs","division":"engineering","org":"security","project":"testabc","team":"cloud-security-posture"},"type":"AWS_EC2_INSTANCE"}],"severity":"CRITICAL","status":"ACTIVE","title":"CVE-2025-21613 - github.com/go-git/go-git/v5, github.com/go-git/go-git/v5","type":"PACKAGE_VULNERABILITY","updatedAt":1750246253.082} +{"awsAccountId":"012345678989","description":"setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.","epss":{"score":0.0012},"exploitAvailable":"NO","findingArn":"arn:aws:inspector2:us-east-1:012345678989:finding/194f71676abcdefabcdef01234567895","firstObservedAt":1749804372.05,"fixAvailable":"YES","inspectorScore":7.5,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[],"cvssSource":"AMAZON_CVE","score":7.5,"scoreSource":"AMAZON_CVE","scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}},"lastObservedAt":1750941752.515,"packageVulnerabilityDetails":{"cvss":[{"baseScore":7.5,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","source":"AMAZON_CVE","version":"3.1"},{"baseScore":8.8,"scoringVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","source":"NVD","version":"3.1"}],"referenceUrls":["https://alas.aws.amazon.com/AL2023/ALAS-2025-1005.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2877.html","https://alas.aws.amazon.com/AL2023/ALAS-2025-1003.html","https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json","https://alas.aws.amazon.com/AL2023/ALAS-2025-1004.html","https://alas.aws.amazon.com/AL2/ALAS-2025-2876.html"],"relatedVulnerabilities":["ALAS2-2025-2877","ALAS2-2025-2876","ALAS2023-2025-1004","ALAS2023-2025-1005","ALAS2023-2025-1003"],"source":"AMAZON_CVE","sourceUrl":"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json","vendorCreatedAt":1747440000,"vendorSeverity":"Important","vendorUpdatedAt":1748822400,"vulnerabilityId":"CVE-2025-47273","vulnerablePackages":[{"arch":"NOARCH","epoch":0,"fixedInVersion":"0:59.6.0-2.amzn2023.0.6","name":"python3-setuptools","packageManager":"OS","release":"2.amzn2023.0.5","remediation":"sudo dnf check-update","sourceLayerHash":"sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80","version":"59.6.0"},{"arch":"NOARCH","epoch":0,"fixedInVersion":"0:59.6.0-2.amzn2023.0.6","name":"python3-setuptools-wheel","packageManager":"OS","release":"2.amzn2023.0.5","remediation":"sudo dnf check-update","sourceLayerHash":"sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80","version":"59.6.0"}]},"remediation":{"recommendation":{"text":"None Provided"}},"resources":[{"details":{"awsEcrContainerImage":{"architecture":"amd64","imageHash":"sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","imageTags":["latest"],"platform":"AMAZON_LINUX_2023","pushedAt":1744892687.924,"registry":"012345678989","repositoryName":"orestis-onweek-2"}},"id":"arn:aws:ecr:us-east-1:012345678989:repository/orestis-onweek-2/sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","partition":"aws","region":"us-east-1","tags":{},"type":"AWS_ECR_CONTAINER_IMAGE"}],"severity":"HIGH","status":"ACTIVE","title":"CVE-2025-47273 - python3-setuptools, python3-setuptools-wheel","type":"PACKAGE_VULNERABILITY","updatedAt":1750941752.515} diff --git a/packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log-expected.json b/packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log-expected.json index f6e8e340aec..4dbf1b57f51 100644 --- a/packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log-expected.json +++ b/packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log-expected.json @@ -44,6 +44,19 @@ }, "protocol": "TCP" }, + "package_nested": [ + { + "arch": "arch", + "epoch": 123, + "file_path": "/example", + "fixed_in_version": "3", + "name": "example", + "package_manager": "BUNDLER", + "release": "release", + "source_layer_hash": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c", + "version": "2.0" + } + ], "package_vulnerability_details": { "cvss": [ { @@ -81,7 +94,7 @@ "arch": "arch", "epoch": 123, "file_path": "/example", - "fixed_inversion": "3", + "fixed_in_version": "3", "name": "example", "package_manager": "BUNDLER", "release": "release", @@ -161,24 +174,64 @@ "account": { "id": "123456789" }, - "region": [ - "us-east-1" - ] + "instance": { + "id": "12345678" + }, + "machine": { + "type": "Instance" + }, + "provider": "aws", + "region": "us-east-1" }, "ecs": { "version": "8.11.0" }, "event": { + "category": [ + "vulnerability" + ], "kind": "event", "original": "{\"awsAccountId\":\"123456789\",\"description\":\"Findins message\",\"findingArn\":\"arn:aws:s3:::sample\",\"firstObservedAt\":\"1.663703546405E9\",\"inspectorScore\":1.2,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[{\"metric\":\"Base\",\"reason\":\"use Base metric\"}],\"cvssSource\":\"scope1\",\"score\":8.9,\"scoreSource\":\"scope2\",\"scoringVector\":\"Attack Vector\",\"version\":\"v3.1\"}},\"lastObservedAt\":\"1.663703546405E9\",\"networkReachabilityDetails\":{\"networkPath\":{\"steps\":[{\"componentId\":\"02ce3860-3126-42af-8ac7-c2a661134129\",\"componentType\":\"type\"}]},\"openPortRange\":{\"begin\":1234,\"end\":4567},\"protocol\":\"TCP\"},\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":1.1,\"scoringVector\":\"Attack Vector\",\"source\":\"scope3\",\"version\":\"v3.1\"}],\"referenceUrls\":[\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\"],\"relatedVulnerabilities\":[\"security\"],\"source\":\"example\",\"sourceUrl\":\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\",\"vendorCreatedAt\":\"1.663703546405E9\",\"vendorSeverity\":\"basic\",\"vendorUpdatedAt\":\"1.663703546405E9\",\"vulnerabilityId\":\"123456789\",\"vulnerablePackages\":[{\"arch\":\"arch\",\"epoch\":123,\"filePath\":\"/example\",\"fixedInVersion\":\"3\",\"name\":\"example\",\"packageManager\":\"BUNDLER\",\"release\":\"release\",\"sourceLayerHash\":\"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c\",\"version\":\"2.0\"}]},\"remediation\":{\"recommendation\":{\"text\":\"example\",\"Url\":\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:s3:::iam\",\"imageId\":\"123456789\",\"ipV4Addresses\":[\"89.160.20.128\",\"81.2.69.192\"],\"ipV6Addresses\":[\"2a02:cf40::\"],\"keyName\":\"sample\",\"launchedAt\":\"1.663703546405E9\",\"platform\":\"EC2\",\"subnetId\":\"123456\",\"type\":\"Instance\",\"vpcId\":\"3265875\"},\"awsEcrContainerImage\":{\"architecture\":\"arch\",\"author\":\"example\",\"imageHash\":\"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d\",\"imageTags\":[\"sample\"],\"platform\":\"ECR\",\"pushedAt\":\"1.663703546405E9\",\"registry\":\"ecr registry\",\"repositoryName\":\"sample\"}},\"id\":\"12345678\",\"partition\":\"partition\",\"region\":\"us-east-1\",\"tags\":{\"string1\":\"string1\",\"string2\":\"string2\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"INFORMATIONAL\",\"status\":\"ACTIVE\",\"title\":\"sample findings\",\"type\":\"NETWORK_REACHABILITY\",\"updatedAt\":\"1.663703546405E9\"}", "type": [ "info" ] }, + "host": { + "id": "12345678", + "ip": [ + "89.160.20.128", + "81.2.69.192", + "2a02:cf40::" + ], + "os": { + "platform": "EC2" + }, + "type": "Instance" + }, "message": "Findins message", "network": { "transport": "tcp" }, + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "arch" + ], + "fixed_version": [ + "3" + ], + "name": [ + "example" + ], + "path": [ + "/example" + ], + "version": [ + "2.0" + ] + }, "related": { "hash": [ "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c", @@ -190,25 +243,4754 @@ "2a02:cf40::" ] }, + "resource": { + "id": "12345678", + "type": "AWS_EC2_INSTANCE" + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" ], "vulnerability": { + "description": "Findins message", "id": "123456789", + "published_date": "2022-09-20T19:52:26.405Z", "reference": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111" ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 8.9, + "version": "v3.1" + }, + "severity": "Low", + "title": "sample findings" + } + }, + { + "@timestamp": "2025-06-05T23:26:37.322Z", + "aws": { + "inspector": { + "aws_account_id": "123456789012", + "description": "Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "epss": { + "score": 1.8E-4 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123451256789:finding/fb6294abcdef0123456789abcdef8404", + "first_observed_at": "2025-05-30T18:25:05.465Z", + "fix_available": "YES", + "inspector_score": 6.5, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "AMAZON_CVE", + "score": { + "source": "AMAZON_CVE", + "value": 6.5 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-05T23:26:37.322Z", + "package_nested": [ + { + "arch": "NOARCH", + "epoch": 0, + "fixed_in_version": "0:2.6.0-10.amzn2.0.6", + "name": "python-requests", + "package_manager": "OS", + "release": "10.amzn2.0.5", + "remediation": "yum update python-requests", + "version": "2.6.0" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 6.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", + "source": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 5.6, + "scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://alas.aws.amazon.com/AL2/ALAS-2025-2868.html", + "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2024-017.html", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2715.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-781.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-957.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-780.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-35195.json", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2846.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-732.html", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2654.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-782.html" + ], + "related_vulnerabilities": [ + "ALAS2023-2025-957", + "ALAS2023-2024-780", + "ALAS2-2024-2654", + "ALAS2-2025-2868", + "ALAS2-2025-2846", + "ALAS2-2024-2715", + "ALAS2023-2024-781", + "ALAS2023-2024-782", + "ALAS2023-2024-732" + ], + "source": { + "url": { + "domain": "alas.aws.amazon.com", + "extension": "json", + "original": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-35195.json", + "path": "/cve/json/v1/CVE-2024-35195.json", + "scheme": "https" + }, + "value": "AMAZON_CVE" + }, + "vendor": { + "created_at": "2024-05-20T00:00:00.000Z", + "severity": "Medium", + "updated_at": "2024-12-20T00:00:00.000Z" + }, + "vulnerability_id": "CVE-2024-35195", + "vulnerable_packages": [ + { + "arch": "NOARCH", + "epoch": 0, + "fixed_in_version": "0:2.6.0-10.amzn2.0.6", + "name": "python-requests", + "package_manager": "OS", + "release": "10.amzn2.0.5", + "remediation": "yum update python-requests", + "version": "2.6.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "175.16.199.1", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-059abcdefabcdef1b", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-35195 - python-requests", + "transform_unique_id": "CVE-2024-35195|i-059abcdefabcdef1b|{0=python-requests}|{0=2.6.0}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-05T23:26:37.322Z" + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "id": "i-059abcdefabcdef1b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2024-35195|i-059abcdefabcdef1b|{0=python-requests}|{0=2.6.0}|2025-06-05T23:26:37.322Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123456789012\",\"description\":\"Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.\",\"epss\":{\"score\":0.00018},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123451256789:finding/fb6294abcdef0123456789abcdef8404\",\"firstObservedAt\":1748629505.465,\"fixAvailable\":\"YES\",\"inspectorScore\":6.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"AMAZON_CVE\",\"score\":6.5,\"scoreSource\":\"AMAZON_CVE\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N\",\"version\":\"3.1\"}},\"lastObservedAt\":1749165997.322,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":6.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N\",\"source\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"baseScore\":5.6,\"scoringVector\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://alas.aws.amazon.com/AL2/ALAS-2025-2868.html\",\"https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2024-017.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2024-2715.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2024-781.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-957.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2024-780.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2024-35195.json\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2846.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2024-732.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2024-2654.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2024-782.html\"],\"relatedVulnerabilities\":[\"ALAS2023-2025-957\",\"ALAS2023-2024-780\",\"ALAS2-2024-2654\",\"ALAS2-2025-2868\",\"ALAS2-2025-2846\",\"ALAS2-2024-2715\",\"ALAS2023-2024-781\",\"ALAS2023-2024-782\",\"ALAS2023-2024-732\"],\"source\":\"AMAZON_CVE\",\"sourceUrl\":\"https://alas.aws.amazon.com/cve/json/v1/CVE-2024-35195.json\",\"vendorCreatedAt\":1716163200,\"vendorSeverity\":\"Medium\",\"vendorUpdatedAt\":1734652800,\"vulnerabilityId\":\"CVE-2024-35195\",\"vulnerablePackages\":[{\"arch\":\"NOARCH\",\"epoch\":0,\"fixedInVersion\":\"0:2.6.0-10.amzn2.0.6\",\"name\":\"python-requests\",\"packageManager\":\"OS\",\"release\":\"10.amzn2.0.5\",\"remediation\":\"yum update python-requests\",\"version\":\"2.6.0\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.87\",\"10.90.0.60\",\"10.90.0.30\",\"10.90.0.74\",\"10.90.0.206\",\"10.90.0.207\",\"10.90.0.37\",\"10.90.0.149\",\"10.90.0.235\",\"175.16.199.1\",\"10.90.0.225\",\"10.90.0.212\",\"10.90.0.199\",\"10.90.0.240\",\"10.90.0.164\",\"10.90.0.160\",\"10.90.0.182\",\"10.90.0.70\",\"10.90.0.180\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-059abcdefabcdef1b\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"MEDIUM\",\"status\":\"ACTIVE\",\"title\":\"CVE-2024-35195 - python-requests\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749165997.322}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-059abcdefabcdef1b", + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "175.16.199.1", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "NOARCH" + ], + "fixed_version": [ + "0:2.6.0-10.amzn2.0.6" + ], + "name": [ + "python-requests" + ], + "version": [ + "2.6.0" + ] + }, + "related": { + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "175.16.199.1", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ] + }, + "resource": { + "id": "i-059abcdefabcdef1b", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "id": "CVE-2024-35195", + "published_date": "2024-05-20T00:00:00.000Z", + "reference": [ + "https://alas.aws.amazon.com/AL2/ALAS-2025-2868.html", + "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2024-017.html", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2715.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-781.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-957.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-780.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-35195.json", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2846.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-732.html", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2654.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-782.html" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, "score": { - "base": [ - 1.1 + "base": 6.5, + "version": "3.1" + }, + "severity": "Medium", + "title": "CVE-2024-35195 - python-requests" + } + }, + { + "@timestamp": "2025-06-05T23:23:16.162Z", + "aws": { + "inspector": { + "aws_account_id": "123456789012", + "description": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).", + "epss": { + "score": 2.4E-4 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123456789012:finding/fb6294abcdef0123456789abcdef8123", + "first_observed_at": "2025-05-29T17:28:07.919Z", + "fix_available": "YES", + "inspector_score": 6.5, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "NVD", + "score": { + "source": "NVD", + "value": 6.5 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-05T23:23:16.162Z", + "package_nested": [ + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/kubelet", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.0.5-1.amzn2.0.1", + "name": "nerdctl", + "package_manager": "OS", + "release": "1.amzn2.0.1", + "remediation": "yum update nerdctl", + "version": "2.0.4" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 6.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "source": "NVD", + "version": "3.1" + }, + { + "base_score": 6.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json" + ], + "source": { + "url": { + "domain": "nvd.nist.gov", + "original": "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "path": "/vuln/detail/CVE-2025-22872", + "scheme": "https" + }, + "value": "NVD" + }, + "vendor": { + "created_at": "2025-04-16T18:16:04.000Z", + "severity": "MEDIUM", + "updated_at": "2025-05-16T23:15:19.000Z" + }, + "vulnerability_id": "CVE-2025-22872", + "vulnerable_packages": [ + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/kubelet", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.0.5-1.amzn2.0.1", + "name": "nerdctl", + "package_manager": "OS", + "release": "1.amzn2.0.1", + "remediation": "yum update nerdctl", + "version": "2.0.4" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ], + "launched_at": "2025-05-29T16:06:08.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef8b", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-0fabcdefabcdef50b", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } ], - "version": [ - "v3.1" - ] + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2025-22872 - golang.org/x/net, golang.org/x/net and 4 more", + "transform_unique_id": "CVE-2025-22872|i-0fabcdefabcdef50b|{0=golang.org/x/net, 1=nerdctl}|{0=v0.1.0, 1=v0.30.0, 2=2.0.4}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-05T23:23:16.162Z" + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "id": "i-0fabcdefabcdef50b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-22872|i-0fabcdefabcdef50b|{0=golang.org/x/net, 1=nerdctl}|{0=v0.1.0, 1=v0.30.0, 2=2.0.4}|2025-06-05T23:23:16.162Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123456789012\",\"description\":\"The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).\",\"epss\":{\"score\":0.00024},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123456789012:finding/fb6294abcdef0123456789abcdef8123\",\"firstObservedAt\":1748539687.919,\"fixAvailable\":\"YES\",\"inspectorScore\":6.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"NVD\",\"score\":6.5,\"scoreSource\":\"NVD\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"version\":\"3.1\"}},\"lastObservedAt\":1749165796.162,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":6.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"source\":\"NVD\",\"version\":\"3.1\"},{\"baseScore\":6.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA\",\"https://nvd.nist.gov/vuln/detail/CVE-2025-22872\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json\"],\"relatedVulnerabilities\":[],\"source\":\"NVD\",\"sourceUrl\":\"https://nvd.nist.gov/vuln/detail/CVE-2025-22872\",\"vendorCreatedAt\":1744827364,\"vendorSeverity\":\"MEDIUM\",\"vendorUpdatedAt\":1747437319,\"vulnerabilityId\":\"CVE-2025-22872\",\"vulnerablePackages\":[{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.1.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:usr/bin/kubelet\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:2.0.5-1.amzn2.0.1\",\"name\":\"nerdctl\",\"packageManager\":\"OS\",\"release\":\"1.amzn2.0.1\",\"remediation\":\"yum update nerdctl\",\"version\":\"2.0.4\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.1.245\",\"10.90.1.45\",\"10.90.1.168\",\"10.90.1.157\",\"1.128.0.1\",\"10.90.1.103\",\"10.90.1.197\",\"10.90.1.220\",\"10.90.1.86\",\"10.90.1.29\",\"10.90.1.18\",\"10.90.1.181\",\"10.90.1.161\",\"10.90.1.229\",\"10.90.1.108\",\"10.90.1.219\",\"10.90.1.9\",\"10.90.1.106\",\"10.90.1.206\"],\"ipV6Addresses\":[],\"launchedAt\":1748534768,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef8b\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-0fabcdefabcdef50b\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"MEDIUM\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-22872 - golang.org/x/net, golang.org/x/net and 4 more\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749165796.162}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-0fabcdefabcdef50b", + "ip": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "X86_64" + ], + "fixed_version": [ + "0.38.0", + "0:2.0.5-1.amzn2.0.1" + ], + "name": [ + "golang.org/x/net", + "nerdctl" + ], + "path": [ + "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", + "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", + "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", + "vol-0e47545061282cd35:/p1:usr/bin/kubelet" + ], + "version": [ + "v0.1.0", + "v0.30.0", + "2.0.4" + ] + }, + "related": { + "ip": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ] + }, + "resource": { + "id": "i-0fabcdefabcdef50b", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).", + "id": "CVE-2025-22872", + "published_date": "2025-04-16T18:16:04.000Z", + "reference": [ + "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 6.5, + "version": "3.1" + }, + "severity": "Medium", + "title": "CVE-2025-22872 - golang.org/x/net, golang.org/x/net and 4 more" + } + }, + { + "@timestamp": "2025-06-04T23:24:51.767Z", + "aws": { + "inspector": { + "aws_account_id": "123456789012", + "description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "epss": { + "score": 0.94407 + }, + "exploit_available": "YES", + "exploitability_details": { + "last_known_exploit_at": "2025-06-03T00:09:27.000Z" + }, + "finding_arn": "arn:aws:inspector2:us-east-2:123456789012:finding/7c6abcdef0123456789abcdef869e9be", + "first_observed_at": "2025-05-29T17:28:07.919Z", + "fix_available": "YES", + "inspector_score": 7.5, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "NVD", + "score": { + "source": "NVD", + "value": 7.5 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-04T23:24:51.767Z", + "package_nested": [ + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.17.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "1.58.3", + "name": "google.golang.org/grpc", + "package_manager": "GOBINARY", + "version": "v1.31.0" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 7.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "source": { + "url": { + "domain": "nvd.nist.gov", + "original": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "path": "/vuln/detail/CVE-2023-44487", + "scheme": "https" + }, + "value": "NVD" + }, + "vendor": { + "created_at": "2023-10-10T14:15:10.000Z", + "severity": "HIGH", + "updated_at": "2025-04-12T01:00:01.000Z" + }, + "vulnerability_id": "CVE-2023-44487", + "vulnerable_packages": [ + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.17.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "1.58.3", + "name": "google.golang.org/grpc", + "package_manager": "GOBINARY", + "version": "v1.31.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ], + "launched_at": "2025-05-29T16:06:08.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-08aabcdefabcdefab", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-0fabcdefabcdef50b", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc", + "transform_unique_id": "CVE-2023-44487|i-0fabcdefabcdef50b|{0=golang.org/x/net, 1=google.golang.org/grpc}|{0=v0.1.0, 1=v1.31.0}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-04T23:24:51.767Z" + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "id": "i-0fabcdefabcdef50b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2023-44487|i-0fabcdefabcdef50b|{0=golang.org/x/net, 1=google.golang.org/grpc}|{0=v0.1.0, 1=v1.31.0}|2025-06-04T23:24:51.767Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123456789012\",\"description\":\"The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\",\"epss\":{\"score\":0.94407},\"exploitAvailable\":\"YES\",\"exploitabilityDetails\":{\"lastKnownExploitAt\":1748909367},\"findingArn\":\"arn:aws:inspector2:us-east-2:123456789012:finding/7c6abcdef0123456789abcdef869e9be\",\"firstObservedAt\":1748539687.919,\"fixAvailable\":\"YES\",\"inspectorScore\":7.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"NVD\",\"score\":7.5,\"scoreSource\":\"NVD\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"version\":\"3.1\"}},\"lastObservedAt\":1749079491.767,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":7.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[],\"relatedVulnerabilities\":[],\"source\":\"NVD\",\"sourceUrl\":\"https://nvd.nist.gov/vuln/detail/CVE-2023-44487\",\"vendorCreatedAt\":1696947310,\"vendorSeverity\":\"HIGH\",\"vendorUpdatedAt\":1744419601,\"vulnerabilityId\":\"CVE-2023-44487\",\"vulnerablePackages\":[{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni\",\"fixedInVersion\":\"0.17.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.1.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni\",\"fixedInVersion\":\"1.58.3\",\"name\":\"google.golang.org/grpc\",\"packageManager\":\"GOBINARY\",\"version\":\"v1.31.0\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.1.245\",\"10.90.1.45\",\"10.90.1.168\",\"10.90.1.157\",\"1.128.0.1\",\"10.90.1.103\",\"10.90.1.197\",\"10.90.1.220\",\"10.90.1.86\",\"10.90.1.29\",\"10.90.1.18\",\"10.90.1.181\",\"10.90.1.161\",\"10.90.1.229\",\"10.90.1.108\",\"10.90.1.219\",\"10.90.1.9\",\"10.90.1.106\",\"10.90.1.206\"],\"ipV6Addresses\":[],\"launchedAt\":1748534768,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-08aabcdefabcdefab\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-0fabcdefabcdef50b\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"HIGH\",\"status\":\"ACTIVE\",\"title\":\"CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749079491.767}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-0fabcdefabcdef50b", + "ip": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "fixed_version": [ + "0.17.0", + "1.58.3" + ], + "name": [ + "golang.org/x/net", + "google.golang.org/grpc" + ], + "path": [ + "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni" + ], + "version": [ + "v0.1.0", + "v1.31.0" + ] + }, + "related": { + "ip": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ] + }, + "resource": { + "id": "i-0fabcdefabcdef50b", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "id": "CVE-2023-44487", + "published_date": "2023-10-10T14:15:10.000Z", + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 7.5, + "version": "3.1" + }, + "severity": "High", + "title": "CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc" + } + }, + { + "@timestamp": "2025-06-05T23:26:37.322Z", + "aws": { + "inspector": { + "aws_account_id": "123456789012", + "description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "epss": { + "score": 0.66635 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123456789012:finding/4038abcdef0123456789abcdef89a264", + "first_observed_at": "2025-05-29T17:27:46.436Z", + "fix_available": "YES", + "inspector_score": 7.5, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "NVD", + "score": { + "source": "NVD", + "value": 7.5 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-05T23:26:37.322Z", + "package_nested": [ + { + "epoch": 0, + "file_path": "vol-00a0d78ffdf6dd3fd:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.23.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 7.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", + "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M" + ], + "source": { + "url": { + "domain": "nvd.nist.gov", + "original": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "path": "/vuln/detail/CVE-2023-45288", + "scheme": "https" + }, + "value": "NVD" + }, + "vendor": { + "created_at": "2024-04-04T21:15:16.000Z", + "severity": "HIGH", + "updated_at": "2024-11-21T08:26:42.000Z" + }, + "vulnerability_id": "CVE-2023-45288", + "vulnerable_packages": [ + { + "epoch": 0, + "file_path": "vol-00a0d78ffdf6dd3fd:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.23.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.2", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-059abcdefabcdef1b", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2023-45288 - golang.org/x/net", + "transform_unique_id": "CVE-2023-45288|i-059abcdefabcdef1b|{0=golang.org/x/net}|{0=v0.1.0}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-05T23:26:37.322Z" + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "id": "i-059abcdefabcdef1b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2023-45288|i-059abcdefabcdef1b|{0=golang.org/x/net}|{0=v0.1.0}|2025-06-05T23:26:37.322Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123456789012\",\"description\":\"An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.\",\"epss\":{\"score\":0.66635},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123456789012:finding/4038abcdef0123456789abcdef89a264\",\"firstObservedAt\":1748539666.436,\"fixAvailable\":\"YES\",\"inspectorScore\":7.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"NVD\",\"score\":7.5,\"scoreSource\":\"NVD\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"version\":\"3.1\"}},\"lastObservedAt\":1749165997.322,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":7.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://nvd.nist.gov/vuln/detail/CVE-2023-45288\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/\",\"https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M\"],\"relatedVulnerabilities\":[],\"source\":\"NVD\",\"sourceUrl\":\"https://nvd.nist.gov/vuln/detail/CVE-2023-45288\",\"vendorCreatedAt\":1712265316,\"vendorSeverity\":\"HIGH\",\"vendorUpdatedAt\":1732177602,\"vulnerabilityId\":\"CVE-2023-45288\",\"vulnerablePackages\":[{\"epoch\":0,\"filePath\":\"vol-00a0d78ffdf6dd3fd:/p1:opt/cni/bin/aws-cni\",\"fixedInVersion\":\"0.23.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.1.0\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.87\",\"10.90.0.60\",\"10.90.0.30\",\"10.90.0.74\",\"10.90.0.206\",\"10.90.0.207\",\"10.90.0.37\",\"10.90.0.149\",\"10.90.0.235\",\"1.128.0.2\",\"10.90.0.225\",\"10.90.0.212\",\"10.90.0.199\",\"10.90.0.240\",\"10.90.0.164\",\"10.90.0.160\",\"10.90.0.182\",\"10.90.0.70\",\"10.90.0.180\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-059abcdefabcdef1b\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"HIGH\",\"status\":\"ACTIVE\",\"title\":\"CVE-2023-45288 - golang.org/x/net\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749165997.322}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-059abcdefabcdef1b", + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.2", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "fixed_version": [ + "0.23.0" + ], + "name": [ + "golang.org/x/net" + ], + "path": [ + "vol-00a0d78ffdf6dd3fd:/p1:opt/cni/bin/aws-cni" + ], + "version": [ + "v0.1.0" + ] + }, + "related": { + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.2", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ] + }, + "resource": { + "id": "i-059abcdefabcdef1b", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "id": "CVE-2023-45288", + "published_date": "2024-04-04T21:15:16.000Z", + "reference": [ + "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", + "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 7.5, + "version": "3.1" + }, + "severity": "High", + "title": "CVE-2023-45288 - golang.org/x/net" + } + }, + { + "@timestamp": "2025-06-05T23:26:37.322Z", + "aws": { + "inspector": { + "aws_account_id": "123456789012", + "description": "The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling.", + "epss": { + "score": 1.8E-4 + }, + "exploit_available": "YES", + "exploitability_details": { + "last_known_exploit_at": "2025-06-05T01:16:07.000Z" + }, + "finding_arn": "arn:aws:inspector2:us-east-2:123456789012:finding/e3c4abcdef0123456789abcdefc5174a", + "first_observed_at": "2025-05-30T18:25:05.465Z", + "fix_available": "YES", + "inspector_score": 7.5, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "AMAZON_CVE", + "score": { + "source": "AMAZON_CVE", + "value": 7.5 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-05T23:26:37.322Z", + "package_nested": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:1.32.0-1.amzn2.0.1", + "name": "cri-tools", + "package_manager": "OS", + "release": "1.amzn2.0.2", + "remediation": "yum update cri-tools", + "version": "1.29.0" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.0.5-1.amzn2.0.1", + "name": "nerdctl", + "package_manager": "OS", + "release": "1.amzn2.0.1", + "remediation": "yum update nerdctl", + "version": "2.0.4" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 7.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 9.1, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html", + "https://alas.aws.amazon.com/AL2/ALASECS-2025-055.html", + "https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-061.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html", + "https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-054.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-945.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-058.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-933.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-065.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-978.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2870.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2825.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22871.json", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-968.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2851.html" + ], + "related_vulnerabilities": [ + "ALAS2023-2025-968", + "ALAS2023-2025-979", + "ALAS2NITRO-ENCLAVES-2025-054", + "ALAS2NITRO-ENCLAVES-2025-061", + "ALAS2-2025-2825", + "ALAS2023-2025-980", + "ALAS2023-2025-981", + "ALAS2-2025-2863", + "ALAS2DOCKER-2025-063", + "ALAS2-2025-2851", + "ALAS2DOCKER-2025-064", + "ALAS2DOCKER-2025-065", + "ALAS2-2025-2870", + "ALAS2023-2025-933", + "ALAS2DOCKER-2025-058", + "ALAS2023-2025-978", + "ALAS2023-2025-945" + ], + "source": { + "url": { + "domain": "alas.aws.amazon.com", + "extension": "json", + "original": "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22871.json", + "path": "/cve/json/v1/CVE-2025-22871.json", + "scheme": "https" + }, + "value": "AMAZON_CVE" + }, + "vendor": { + "created_at": "2025-04-08T00:00:00.000Z", + "severity": "Important", + "updated_at": "2025-04-08T00:00:00.000Z" + }, + "vulnerability_id": "CVE-2025-22871", + "vulnerable_packages": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:1.32.0-1.amzn2.0.1", + "name": "cri-tools", + "package_manager": "OS", + "release": "1.amzn2.0.2", + "remediation": "yum update cri-tools", + "version": "1.29.0" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.0.5-1.amzn2.0.1", + "name": "nerdctl", + "package_manager": "OS", + "release": "1.amzn2.0.1", + "remediation": "yum update nerdctl", + "version": "2.0.4" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.2", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-059abcdefabcdef1b", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2025-22871 - cri-tools, nerdctl", + "transform_unique_id": "CVE-2025-22871|i-059abcdefabcdef1b|{0=cri-tools, 1=nerdctl}|{0=1.29.0, 1=2.0.4}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-05T23:26:37.322Z" + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "id": "i-059abcdefabcdef1b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-22871|i-059abcdefabcdef1b|{0=cri-tools, 1=nerdctl}|{0=1.29.0, 1=2.0.4}|2025-06-05T23:26:37.322Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123456789012\",\"description\":\"The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling.\",\"epss\":{\"score\":0.00018},\"exploitAvailable\":\"YES\",\"exploitabilityDetails\":{\"lastKnownExploitAt\":1749086167},\"findingArn\":\"arn:aws:inspector2:us-east-2:123456789012:finding/e3c4abcdef0123456789abcdefc5174a\",\"firstObservedAt\":1748629505.465,\"fixAvailable\":\"YES\",\"inspectorScore\":7.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"AMAZON_CVE\",\"score\":7.5,\"scoreSource\":\"AMAZON_CVE\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"version\":\"3.1\"}},\"lastObservedAt\":1749165997.322,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":7.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"source\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"baseScore\":9.1,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html\",\"https://alas.aws.amazon.com/AL2/ALASECS-2025-055.html\",\"https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-061.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html\",\"https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-054.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-945.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-058.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-933.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-065.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-978.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2870.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2825.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22871.json\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-968.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2851.html\"],\"relatedVulnerabilities\":[\"ALAS2023-2025-968\",\"ALAS2023-2025-979\",\"ALAS2NITRO-ENCLAVES-2025-054\",\"ALAS2NITRO-ENCLAVES-2025-061\",\"ALAS2-2025-2825\",\"ALAS2023-2025-980\",\"ALAS2023-2025-981\",\"ALAS2-2025-2863\",\"ALAS2DOCKER-2025-063\",\"ALAS2-2025-2851\",\"ALAS2DOCKER-2025-064\",\"ALAS2DOCKER-2025-065\",\"ALAS2-2025-2870\",\"ALAS2023-2025-933\",\"ALAS2DOCKER-2025-058\",\"ALAS2023-2025-978\",\"ALAS2023-2025-945\"],\"source\":\"AMAZON_CVE\",\"sourceUrl\":\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22871.json\",\"vendorCreatedAt\":1744070400,\"vendorSeverity\":\"Important\",\"vendorUpdatedAt\":1744070400,\"vulnerabilityId\":\"CVE-2025-22871\",\"vulnerablePackages\":[{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:1.32.0-1.amzn2.0.1\",\"name\":\"cri-tools\",\"packageManager\":\"OS\",\"release\":\"1.amzn2.0.2\",\"remediation\":\"yum update cri-tools\",\"version\":\"1.29.0\"},{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:2.0.5-1.amzn2.0.1\",\"name\":\"nerdctl\",\"packageManager\":\"OS\",\"release\":\"1.amzn2.0.1\",\"remediation\":\"yum update nerdctl\",\"version\":\"2.0.4\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.87\",\"10.90.0.60\",\"10.90.0.30\",\"10.90.0.74\",\"10.90.0.206\",\"10.90.0.207\",\"10.90.0.37\",\"10.90.0.149\",\"10.90.0.235\",\"1.128.0.2\",\"10.90.0.225\",\"10.90.0.212\",\"10.90.0.199\",\"10.90.0.240\",\"10.90.0.164\",\"10.90.0.160\",\"10.90.0.182\",\"10.90.0.70\",\"10.90.0.180\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-059abcdefabcdef1b\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"HIGH\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-22871 - cri-tools, nerdctl\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749165997.322}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-059abcdefabcdef1b", + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.2", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "X86_64" + ], + "fixed_version": [ + "0:1.32.0-1.amzn2.0.1", + "0:2.0.5-1.amzn2.0.1" + ], + "name": [ + "cri-tools", + "nerdctl" + ], + "version": [ + "1.29.0", + "2.0.4" + ] + }, + "related": { + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.2", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ] + }, + "resource": { + "id": "i-059abcdefabcdef1b", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling.", + "id": "CVE-2025-22871", + "published_date": "2025-04-08T00:00:00.000Z", + "reference": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html", + "https://alas.aws.amazon.com/AL2/ALASECS-2025-055.html", + "https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-061.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html", + "https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-054.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-945.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-058.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-933.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-065.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-978.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2870.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2825.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22871.json", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-968.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2851.html" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 7.5, + "version": "3.1" + }, + "severity": "High", + "title": "CVE-2025-22871 - cri-tools, nerdctl" + } + }, + { + "@timestamp": "2025-06-05T23:26:37.322Z", + "aws": { + "inspector": { + "aws_account_id": "123456789012", + "description": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrent", + "epss": { + "score": 0.0015 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123456789012:finding/5303abcdef0123456789abcdef4a68be", + "first_observed_at": "2025-05-29T17:27:46.436Z", + "fix_available": "YES", + "inspector_score": 7.5, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "NVD", + "score": { + "source": "NVD", + "value": 7.5 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-05T23:26:37.322Z", + "package_nested": [ + { + "epoch": 0, + "file_path": "vol-00a0d78ffdf6dd3fd:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.17.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 7.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "source": { + "url": { + "domain": "nvd.nist.gov", + "original": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325", + "path": "/vuln/detail/CVE-2023-39325", + "scheme": "https" + }, + "value": "NVD" + }, + "vendor": { + "created_at": "2023-10-11T22:15:09.000Z", + "severity": "HIGH", + "updated_at": "2024-11-21T08:15:09.000Z" + }, + "vulnerability_id": "CVE-2023-39325", + "vulnerable_packages": [ + { + "epoch": 0, + "file_path": "vol-00a0d78ffdf6dd3fd:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.17.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.3", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-059abcdefabcdef1b", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2023-39325 - golang.org/x/net", + "transform_unique_id": "CVE-2023-39325|i-059abcdefabcdef1b|{0=golang.org/x/net}|{0=v0.1.0}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-05T23:26:37.322Z" + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "id": "i-059abcdefabcdef1b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2023-39325|i-059abcdefabcdef1b|{0=golang.org/x/net}|{0=v0.1.0}|2025-06-05T23:26:37.322Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123456789012\",\"description\":\"A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrent\",\"epss\":{\"score\":0.0015},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123456789012:finding/5303abcdef0123456789abcdef4a68be\",\"firstObservedAt\":1748539666.436,\"fixAvailable\":\"YES\",\"inspectorScore\":7.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"NVD\",\"score\":7.5,\"scoreSource\":\"NVD\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"version\":\"3.1\"}},\"lastObservedAt\":1749165997.322,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":7.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[],\"relatedVulnerabilities\":[],\"source\":\"NVD\",\"sourceUrl\":\"https://nvd.nist.gov/vuln/detail/CVE-2023-39325\",\"vendorCreatedAt\":1697062509,\"vendorSeverity\":\"HIGH\",\"vendorUpdatedAt\":1732176909,\"vulnerabilityId\":\"CVE-2023-39325\",\"vulnerablePackages\":[{\"epoch\":0,\"filePath\":\"vol-00a0d78ffdf6dd3fd:/p1:opt/cni/bin/aws-cni\",\"fixedInVersion\":\"0.17.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.1.0\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.87\",\"10.90.0.60\",\"10.90.0.30\",\"10.90.0.74\",\"10.90.0.206\",\"10.90.0.207\",\"10.90.0.37\",\"10.90.0.149\",\"10.90.0.235\",\"1.128.0.3\",\"10.90.0.225\",\"10.90.0.212\",\"10.90.0.199\",\"10.90.0.240\",\"10.90.0.164\",\"10.90.0.160\",\"10.90.0.182\",\"10.90.0.70\",\"10.90.0.180\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-059abcdefabcdef1b\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"HIGH\",\"status\":\"ACTIVE\",\"title\":\"CVE-2023-39325 - golang.org/x/net\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749165997.322}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-059abcdefabcdef1b", + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.3", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrent", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "fixed_version": [ + "0.17.0" + ], + "name": [ + "golang.org/x/net" + ], + "path": [ + "vol-00a0d78ffdf6dd3fd:/p1:opt/cni/bin/aws-cni" + ], + "version": [ + "v0.1.0" + ] + }, + "related": { + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.3", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ] + }, + "resource": { + "id": "i-059abcdefabcdef1b", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrent", + "id": "CVE-2023-39325", + "published_date": "2023-10-11T22:15:09.000Z", + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 7.5, + "version": "3.1" + }, + "severity": "High", + "title": "CVE-2023-39325 - golang.org/x/net" + } + }, + { + "@timestamp": "2025-06-13T06:24:55.486Z", + "aws": { + "inspector": { + "aws_account_id": "123451234512", + "description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", + "epss": { + "score": 2.4E-4 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123451234512:finding/df63abcdef0123456789abcdefaeed1e", + "first_observed_at": "2025-06-13T06:24:55.486Z", + "fix_available": "YES", + "inspector_score": 4.3, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "AMAZON_CVE", + "score": { + "source": "AMAZON_CVE", + "value": 4.3 + }, + "scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-13T06:24:55.486Z", + "package_nested": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:7.4p1-22.amzn2.0.10", + "name": "openssh", + "package_manager": "OS", + "release": "22.amzn2.0.9", + "remediation": "yum update openssh", + "version": "7.4p1" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:7.4p1-22.amzn2.0.10", + "name": "openssh-clients", + "package_manager": "OS", + "release": "22.amzn2.0.9", + "remediation": "yum update openssh-clients", + "version": "7.4p1" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:7.4p1-22.amzn2.0.10", + "name": "openssh-server", + "package_manager": "OS", + "release": "22.amzn2.0.9", + "remediation": "yum update openssh-server", + "version": "7.4p1" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 4.3, + "scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "source": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 3.8, + "scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://alas.aws.amazon.com/AL2/ALAS-2025-2881.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32728.json" + ], + "related_vulnerabilities": [ + "ALAS2-2025-2881" + ], + "source": { + "url": { + "domain": "alas.aws.amazon.com", + "extension": "json", + "original": "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32728.json", + "path": "/cve/json/v1/CVE-2025-32728.json", + "scheme": "https" + }, + "value": "AMAZON_CVE" + }, + "vendor": { + "created_at": "2025-04-10T00:00:00.000Z", + "severity": "Medium", + "updated_at": "2025-04-11T00:00:00.000Z" + }, + "vulnerability_id": "CVE-2025-32728", + "vulnerable_packages": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:7.4p1-22.amzn2.0.10", + "name": "openssh", + "package_manager": "OS", + "release": "22.amzn2.0.9", + "remediation": "yum update openssh", + "version": "7.4p1" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:7.4p1-22.amzn2.0.10", + "name": "openssh-clients", + "package_manager": "OS", + "release": "22.amzn2.0.9", + "remediation": "yum update openssh-clients", + "version": "7.4p1" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:7.4p1-22.amzn2.0.10", + "name": "openssh-server", + "package_manager": "OS", + "release": "22.amzn2.0.9", + "remediation": "yum update openssh-server", + "version": "7.4p1" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123451234512:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.2", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-020babcdefabcdefd", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2025-32728 - openssh, openssh-clients and 1 more", + "transform_unique_id": "CVE-2025-32728|i-020babcdefabcdefd|{0=openssh, 1=openssh-clients, 2=openssh-server}|{0=7.4p1}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-13T06:24:55.486Z" + } + }, + "cloud": { + "account": { + "id": "123451234512" + }, + "instance": { + "id": "i-020babcdefabcdefd" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-32728|i-020babcdefabcdefd|{0=openssh, 1=openssh-clients, 2=openssh-server}|{0=7.4p1}|2025-06-13T06:24:55.486Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123451234512\",\"description\":\"In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.\",\"epss\":{\"score\":0.00024},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123451234512:finding/df63abcdef0123456789abcdefaeed1e\",\"firstObservedAt\":1749795895.486,\"fixAvailable\":\"YES\",\"inspectorScore\":4.3,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"AMAZON_CVE\",\"score\":4.3,\"scoreSource\":\"AMAZON_CVE\",\"scoringVector\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\",\"version\":\"3.1\"}},\"lastObservedAt\":1749795895.486,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":4.3,\"scoringVector\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\",\"source\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"baseScore\":3.8,\"scoringVector\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://alas.aws.amazon.com/AL2/ALAS-2025-2881.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32728.json\"],\"relatedVulnerabilities\":[\"ALAS2-2025-2881\"],\"source\":\"AMAZON_CVE\",\"sourceUrl\":\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32728.json\",\"vendorCreatedAt\":1744243200,\"vendorSeverity\":\"Medium\",\"vendorUpdatedAt\":1744329600,\"vulnerabilityId\":\"CVE-2025-32728\",\"vulnerablePackages\":[{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:7.4p1-22.amzn2.0.10\",\"name\":\"openssh\",\"packageManager\":\"OS\",\"release\":\"22.amzn2.0.9\",\"remediation\":\"yum update openssh\",\"version\":\"7.4p1\"},{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:7.4p1-22.amzn2.0.10\",\"name\":\"openssh-clients\",\"packageManager\":\"OS\",\"release\":\"22.amzn2.0.9\",\"remediation\":\"yum update openssh-clients\",\"version\":\"7.4p1\"},{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:7.4p1-22.amzn2.0.10\",\"name\":\"openssh-server\",\"packageManager\":\"OS\",\"release\":\"22.amzn2.0.9\",\"remediation\":\"yum update openssh-server\",\"version\":\"7.4p1\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123451234512:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.42\",\"10.90.0.88\",\"175.16.199.2\",\"10.90.0.57\",\"10.90.0.14\",\"10.90.0.204\",\"10.90.0.59\",\"10.90.0.38\",\"10.90.0.249\",\"10.90.0.147\",\"10.90.0.224\",\"10.90.0.203\",\"10.90.0.253\",\"10.90.0.231\",\"10.90.0.130\",\"10.90.0.186\",\"10.90.0.197\",\"10.90.0.194\",\"10.90.0.170\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-020babcdefabcdefd\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"MEDIUM\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-32728 - openssh, openssh-clients and 1 more\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749795895.486}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-020babcdefabcdefd", + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.2", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "X86_64" + ], + "fixed_version": [ + "0:7.4p1-22.amzn2.0.10" + ], + "name": [ + "openssh", + "openssh-clients", + "openssh-server" + ], + "version": [ + "7.4p1" + ] + }, + "related": { + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.2", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ] + }, + "resource": { + "id": "i-020babcdefabcdefd", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", + "id": "CVE-2025-32728", + "published_date": "2025-04-10T00:00:00.000Z", + "reference": [ + "https://alas.aws.amazon.com/AL2/ALAS-2025-2881.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32728.json" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 4.3, + "version": "3.1" + }, + "severity": "Medium", + "title": "CVE-2025-32728 - openssh, openssh-clients and 1 more" + } + }, + { + "@timestamp": "2025-06-13T06:24:55.486Z", + "aws": { + "inspector": { + "aws_account_id": "123451234512", + "description": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.", + "epss": { + "score": 0.00435 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123451234512:finding/b677cabcdef0123456789abcdef72108", + "first_observed_at": "2025-06-13T06:24:55.486Z", + "fix_available": "YES", + "inspector_score": 7.5, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "AMAZON_CVE", + "score": { + "source": "AMAZON_CVE", + "value": 7.5 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-13T06:24:55.486Z", + "package_nested": [ + { + "arch": "NOARCH", + "epoch": 0, + "fixed_in_version": "0:41.2.0-4.amzn2.0.6", + "name": "python2-setuptools", + "package_manager": "OS", + "release": "4.amzn2.0.5", + "remediation": "yum update python2-setuptools", + "version": "41.2.0" + }, + { + "arch": "NOARCH", + "epoch": 0, + "fixed_in_version": "0:49.1.3-1.amzn2.0.6", + "name": "python3-setuptools", + "package_manager": "OS", + "release": "1.amzn2.0.5", + "remediation": "yum update python3-setuptools", + "version": "49.1.3" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 7.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 8.8, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1005.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2877.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1003.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1004.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2876.html" + ], + "related_vulnerabilities": [ + "ALAS2-2025-2877", + "ALAS2-2025-2876", + "ALAS2023-2025-1004", + "ALAS2023-2025-1005", + "ALAS2023-2025-1003" + ], + "source": { + "url": { + "domain": "alas.aws.amazon.com", + "extension": "json", + "original": "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json", + "path": "/cve/json/v1/CVE-2025-47273.json", + "scheme": "https" + }, + "value": "AMAZON_CVE" + }, + "vendor": { + "created_at": "2025-05-17T00:00:00.000Z", + "severity": "Important", + "updated_at": "2025-06-02T00:00:00.000Z" + }, + "vulnerability_id": "CVE-2025-47273", + "vulnerable_packages": [ + { + "arch": "NOARCH", + "epoch": 0, + "fixed_in_version": "0:41.2.0-4.amzn2.0.6", + "name": "python2-setuptools", + "package_manager": "OS", + "release": "4.amzn2.0.5", + "remediation": "yum update python2-setuptools", + "version": "41.2.0" + }, + { + "arch": "NOARCH", + "epoch": 0, + "fixed_in_version": "0:49.1.3-1.amzn2.0.6", + "name": "python3-setuptools", + "package_manager": "OS", + "release": "1.amzn2.0.5", + "remediation": "yum update python3-setuptools", + "version": "49.1.3" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123451234512:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.2", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-020babcdefabcdefd", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2025-47273 - python2-setuptools, python3-setuptools", + "transform_unique_id": "CVE-2025-47273|i-020babcdefabcdefd|{0=python2-setuptools, 1=python3-setuptools}|{0=41.2.0, 1=49.1.3}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-13T06:24:55.486Z" + } + }, + "cloud": { + "account": { + "id": "123451234512" + }, + "instance": { + "id": "i-020babcdefabcdefd" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-47273|i-020babcdefabcdefd|{0=python2-setuptools, 1=python3-setuptools}|{0=41.2.0, 1=49.1.3}|2025-06-13T06:24:55.486Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123451234512\",\"description\":\"setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.\",\"epss\":{\"score\":0.00435},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123451234512:finding/b677cabcdef0123456789abcdef72108\",\"firstObservedAt\":1749795895.486,\"fixAvailable\":\"YES\",\"inspectorScore\":7.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"AMAZON_CVE\",\"score\":7.5,\"scoreSource\":\"AMAZON_CVE\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"version\":\"3.1\"}},\"lastObservedAt\":1749795895.486,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":7.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"source\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"baseScore\":8.8,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1005.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2877.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1003.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1004.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2876.html\"],\"relatedVulnerabilities\":[\"ALAS2-2025-2877\",\"ALAS2-2025-2876\",\"ALAS2023-2025-1004\",\"ALAS2023-2025-1005\",\"ALAS2023-2025-1003\"],\"source\":\"AMAZON_CVE\",\"sourceUrl\":\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json\",\"vendorCreatedAt\":1747440000,\"vendorSeverity\":\"Important\",\"vendorUpdatedAt\":1748822400,\"vulnerabilityId\":\"CVE-2025-47273\",\"vulnerablePackages\":[{\"arch\":\"NOARCH\",\"epoch\":0,\"fixedInVersion\":\"0:41.2.0-4.amzn2.0.6\",\"name\":\"python2-setuptools\",\"packageManager\":\"OS\",\"release\":\"4.amzn2.0.5\",\"remediation\":\"yum update python2-setuptools\",\"version\":\"41.2.0\"},{\"arch\":\"NOARCH\",\"epoch\":0,\"fixedInVersion\":\"0:49.1.3-1.amzn2.0.6\",\"name\":\"python3-setuptools\",\"packageManager\":\"OS\",\"release\":\"1.amzn2.0.5\",\"remediation\":\"yum update python3-setuptools\",\"version\":\"49.1.3\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123451234512:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.42\",\"10.90.0.88\",\"175.16.199.2\",\"10.90.0.57\",\"10.90.0.14\",\"10.90.0.204\",\"10.90.0.59\",\"10.90.0.38\",\"10.90.0.249\",\"10.90.0.147\",\"10.90.0.224\",\"10.90.0.203\",\"10.90.0.253\",\"10.90.0.231\",\"10.90.0.130\",\"10.90.0.186\",\"10.90.0.197\",\"10.90.0.194\",\"10.90.0.170\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-020babcdefabcdefd\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"HIGH\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-47273 - python2-setuptools, python3-setuptools\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749795895.486}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-020babcdefabcdefd", + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.2", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "NOARCH" + ], + "fixed_version": [ + "0:41.2.0-4.amzn2.0.6", + "0:49.1.3-1.amzn2.0.6" + ], + "name": [ + "python2-setuptools", + "python3-setuptools" + ], + "version": [ + "41.2.0", + "49.1.3" + ] + }, + "related": { + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.2", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ] + }, + "resource": { + "id": "i-020babcdefabcdefd", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.", + "id": "CVE-2025-47273", + "published_date": "2025-05-17T00:00:00.000Z", + "reference": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1005.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2877.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1003.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1004.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2876.html" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 7.5, + "version": "3.1" + }, + "severity": "High", + "title": "CVE-2025-47273 - python2-setuptools, python3-setuptools" + } + }, + { + "@timestamp": "2025-06-13T06:24:55.486Z", + "aws": { + "inspector": { + "aws_account_id": "123451234512", + "description": "When an input DER data contains a large number of SEQUENCE OF or SET OF elements, decoding the data and searching a specific element in it take quadratic time to complete. This could be utilized for a remote DoS attack by presenting a crafted certificate to the network peer.", + "epss": { + "score": 0.00103 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123451234512:finding/6fabcdef0123456789abcdef5e93504a", + "first_observed_at": "2025-06-13T06:24:55.486Z", + "fix_available": "YES", + "inspector_score": 5.3, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "AMAZON_CVE", + "score": { + "source": "AMAZON_CVE", + "value": 5.3 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-13T06:24:55.486Z", + "package_nested": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:4.10-1.amzn2.0.7", + "name": "libtasn1", + "package_manager": "OS", + "release": "1.amzn2.0.6", + "remediation": "yum update libtasn1", + "version": "4.10" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 5.3, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 5.3, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2025-989.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2886.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-12133.json" + ], + "related_vulnerabilities": [ + "ALAS2-2025-2886", + "ALAS2023-2025-989" + ], + "source": { + "url": { + "domain": "alas.aws.amazon.com", + "extension": "json", + "original": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-12133.json", + "path": "/cve/json/v1/CVE-2024-12133.json", + "scheme": "https" + }, + "value": "AMAZON_CVE" + }, + "vendor": { + "created_at": "2025-02-08T00:00:00.000Z", + "severity": "Medium", + "updated_at": "2025-05-09T00:00:00.000Z" + }, + "vulnerability_id": "CVE-2024-12133", + "vulnerable_packages": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:4.10-1.amzn2.0.7", + "name": "libtasn1", + "package_manager": "OS", + "release": "1.amzn2.0.6", + "remediation": "yum update libtasn1", + "version": "4.10" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123451234512:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.3", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-020babcdefabcdefd", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-12133 - libtasn1", + "transform_unique_id": "CVE-2024-12133|i-020babcdefabcdefd|{0=libtasn1}|{0=4.10}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-13T06:24:55.486Z" + } + }, + "cloud": { + "account": { + "id": "123451234512" + }, + "instance": { + "id": "i-020babcdefabcdefd" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2024-12133|i-020babcdefabcdefd|{0=libtasn1}|{0=4.10}|2025-06-13T06:24:55.486Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123451234512\",\"description\":\"When an input DER data contains a large number of SEQUENCE OF or SET OF elements, decoding the data and searching a specific element in it take quadratic time to complete. This could be utilized for a remote DoS attack by presenting a crafted certificate to the network peer.\",\"epss\":{\"score\":0.00103},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123451234512:finding/6fabcdef0123456789abcdef5e93504a\",\"firstObservedAt\":1749795895.486,\"fixAvailable\":\"YES\",\"inspectorScore\":5.3,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"AMAZON_CVE\",\"score\":5.3,\"scoreSource\":\"AMAZON_CVE\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"version\":\"3.1\"}},\"lastObservedAt\":1749795895.486,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":5.3,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"source\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"baseScore\":5.3,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://alas.aws.amazon.com/AL2023/ALAS-2025-989.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2886.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2024-12133.json\"],\"relatedVulnerabilities\":[\"ALAS2-2025-2886\",\"ALAS2023-2025-989\"],\"source\":\"AMAZON_CVE\",\"sourceUrl\":\"https://alas.aws.amazon.com/cve/json/v1/CVE-2024-12133.json\",\"vendorCreatedAt\":1738972800,\"vendorSeverity\":\"Medium\",\"vendorUpdatedAt\":1746748800,\"vulnerabilityId\":\"CVE-2024-12133\",\"vulnerablePackages\":[{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:4.10-1.amzn2.0.7\",\"name\":\"libtasn1\",\"packageManager\":\"OS\",\"release\":\"1.amzn2.0.6\",\"remediation\":\"yum update libtasn1\",\"version\":\"4.10\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123451234512:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.42\",\"10.90.0.88\",\"175.16.199.3\",\"10.90.0.57\",\"10.90.0.14\",\"10.90.0.204\",\"10.90.0.59\",\"10.90.0.38\",\"10.90.0.249\",\"10.90.0.147\",\"10.90.0.224\",\"10.90.0.203\",\"10.90.0.253\",\"10.90.0.231\",\"10.90.0.130\",\"10.90.0.186\",\"10.90.0.197\",\"10.90.0.194\",\"10.90.0.170\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-020babcdefabcdefd\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"MEDIUM\",\"status\":\"ACTIVE\",\"title\":\"CVE-2024-12133 - libtasn1\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749795895.486}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-020babcdefabcdefd", + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.3", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "When an input DER data contains a large number of SEQUENCE OF or SET OF elements, decoding the data and searching a specific element in it take quadratic time to complete. This could be utilized for a remote DoS attack by presenting a crafted certificate to the network peer.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "X86_64" + ], + "fixed_version": [ + "0:4.10-1.amzn2.0.7" + ], + "name": [ + "libtasn1" + ], + "version": [ + "4.10" + ] + }, + "related": { + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.3", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ] + }, + "resource": { + "id": "i-020babcdefabcdefd", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "When an input DER data contains a large number of SEQUENCE OF or SET OF elements, decoding the data and searching a specific element in it take quadratic time to complete. This could be utilized for a remote DoS attack by presenting a crafted certificate to the network peer.", + "id": "CVE-2024-12133", + "published_date": "2025-02-08T00:00:00.000Z", + "reference": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2025-989.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2886.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-12133.json" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 5.3, + "version": "3.1" + }, + "severity": "Medium", + "title": "CVE-2024-12133 - libtasn1" + } + }, + { + "@timestamp": "2025-06-13T06:24:55.486Z", + "aws": { + "inspector": { + "aws_account_id": "123451256789", + "description": "Thread creation while a directory handle is open does a fchdir, affecting other threads (race condition)", + "epss": { + "score": 1.5E-4 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123451256789:finding/5f7abcdef0123456789abcdef1e80328", + "first_observed_at": "2025-06-13T06:24:55.486Z", + "fix_available": "YES", + "inspector_score": 7.0, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "AMAZON_CVE", + "score": { + "source": "AMAZON_CVE", + "value": 7.0 + }, + "scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-13T06:24:55.486Z", + "package_nested": [ + { + "arch": "X86_64", + "epoch": 4, + "fixed_in_version": "4:5.16.3-299.amzn2.0.3", + "name": "perl", + "package_manager": "OS", + "release": "299.amzn2.0.2", + "remediation": "yum update perl", + "version": "5.16.3" + }, + { + "arch": "NOARCH", + "epoch": 1, + "fixed_in_version": "1:1.04-299.amzn2.0.3", + "name": "perl-Pod-Escapes", + "package_manager": "OS", + "release": "299.amzn2.0.2", + "remediation": "yum update perl-Pod-Escapes", + "version": "1.04" + }, + { + "arch": "X86_64", + "epoch": 4, + "fixed_in_version": "4:5.16.3-299.amzn2.0.3", + "name": "perl-libs", + "package_manager": "OS", + "release": "299.amzn2.0.2", + "remediation": "yum update perl-libs", + "version": "5.16.3" + }, + { + "arch": "X86_64", + "epoch": 4, + "fixed_in_version": "4:5.16.3-299.amzn2.0.3", + "name": "perl-macros", + "package_manager": "OS", + "release": "299.amzn2.0.2", + "remediation": "yum update perl-macros", + "version": "5.16.3" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 7.0, + "scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 5.9, + "scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-40909.json", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1007.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2879.html", + "https://alas.aws.amazon.com/ALAS-2025-1981.html" + ], + "related_vulnerabilities": [ + "ALAS-2025-1981", + "ALAS2023-2025-1007", + "ALAS2-2025-2879" + ], + "source": { + "url": { + "domain": "alas.aws.amazon.com", + "extension": "json", + "original": "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-40909.json", + "path": "/cve/json/v1/CVE-2025-40909.json", + "scheme": "https" + }, + "value": "AMAZON_CVE" + }, + "vendor": { + "created_at": "2025-05-28T00:00:00.000Z", + "severity": "Important", + "updated_at": "2025-05-28T00:00:00.000Z" + }, + "vulnerability_id": "CVE-2025-40909", + "vulnerable_packages": [ + { + "arch": "X86_64", + "epoch": 4, + "fixed_in_version": "4:5.16.3-299.amzn2.0.3", + "name": "perl", + "package_manager": "OS", + "release": "299.amzn2.0.2", + "remediation": "yum update perl", + "version": "5.16.3" + }, + { + "arch": "NOARCH", + "epoch": 1, + "fixed_in_version": "1:1.04-299.amzn2.0.3", + "name": "perl-Pod-Escapes", + "package_manager": "OS", + "release": "299.amzn2.0.2", + "remediation": "yum update perl-Pod-Escapes", + "version": "1.04" + }, + { + "arch": "X86_64", + "epoch": 4, + "fixed_in_version": "4:5.16.3-299.amzn2.0.3", + "name": "perl-libs", + "package_manager": "OS", + "release": "299.amzn2.0.2", + "remediation": "yum update perl-libs", + "version": "5.16.3" + }, + { + "arch": "X86_64", + "epoch": 4, + "fixed_in_version": "4:5.16.3-299.amzn2.0.3", + "name": "perl-macros", + "package_manager": "OS", + "release": "299.amzn2.0.2", + "remediation": "yum update perl-macros", + "version": "5.16.3" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.3", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-020babcdefabcdefd", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2025-40909 - perl, perl-Pod-Escapes and 2 more", + "transform_unique_id": "CVE-2025-40909|i-020babcdefabcdefd|{0=perl, 1=perl-Pod-Escapes, 2=perl-libs, 3=perl-macros}|{0=5.16.3, 1=1.04}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-13T06:24:55.486Z" + } + }, + "cloud": { + "account": { + "id": "123451256789" + }, + "instance": { + "id": "i-020babcdefabcdefd" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-40909|i-020babcdefabcdefd|{0=perl, 1=perl-Pod-Escapes, 2=perl-libs, 3=perl-macros}|{0=5.16.3, 1=1.04}|2025-06-13T06:24:55.486Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123451256789\",\"description\":\"Thread creation while a directory handle is open does a fchdir, affecting other threads (race condition)\",\"epss\":{\"score\":0.00015},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123451256789:finding/5f7abcdef0123456789abcdef1e80328\",\"firstObservedAt\":1749795895.486,\"fixAvailable\":\"YES\",\"inspectorScore\":7,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"AMAZON_CVE\",\"score\":7,\"scoreSource\":\"AMAZON_CVE\",\"scoringVector\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"version\":\"3.1\"}},\"lastObservedAt\":1749795895.486,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":7,\"scoringVector\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"source\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"baseScore\":5.9,\"scoringVector\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-40909.json\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1007.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2879.html\",\"https://alas.aws.amazon.com/ALAS-2025-1981.html\"],\"relatedVulnerabilities\":[\"ALAS-2025-1981\",\"ALAS2023-2025-1007\",\"ALAS2-2025-2879\"],\"source\":\"AMAZON_CVE\",\"sourceUrl\":\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-40909.json\",\"vendorCreatedAt\":1748390400,\"vendorSeverity\":\"Important\",\"vendorUpdatedAt\":1748390400,\"vulnerabilityId\":\"CVE-2025-40909\",\"vulnerablePackages\":[{\"arch\":\"X86_64\",\"epoch\":4,\"fixedInVersion\":\"4:5.16.3-299.amzn2.0.3\",\"name\":\"perl\",\"packageManager\":\"OS\",\"release\":\"299.amzn2.0.2\",\"remediation\":\"yum update perl\",\"version\":\"5.16.3\"},{\"arch\":\"NOARCH\",\"epoch\":1,\"fixedInVersion\":\"1:1.04-299.amzn2.0.3\",\"name\":\"perl-Pod-Escapes\",\"packageManager\":\"OS\",\"release\":\"299.amzn2.0.2\",\"remediation\":\"yum update perl-Pod-Escapes\",\"version\":\"1.04\"},{\"arch\":\"X86_64\",\"epoch\":4,\"fixedInVersion\":\"4:5.16.3-299.amzn2.0.3\",\"name\":\"perl-libs\",\"packageManager\":\"OS\",\"release\":\"299.amzn2.0.2\",\"remediation\":\"yum update perl-libs\",\"version\":\"5.16.3\"},{\"arch\":\"X86_64\",\"epoch\":4,\"fixedInVersion\":\"4:5.16.3-299.amzn2.0.3\",\"name\":\"perl-macros\",\"packageManager\":\"OS\",\"release\":\"299.amzn2.0.2\",\"remediation\":\"yum update perl-macros\",\"version\":\"5.16.3\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.42\",\"10.90.0.88\",\"175.16.199.3\",\"10.90.0.57\",\"10.90.0.14\",\"10.90.0.204\",\"10.90.0.59\",\"10.90.0.38\",\"10.90.0.249\",\"10.90.0.147\",\"10.90.0.224\",\"10.90.0.203\",\"10.90.0.253\",\"10.90.0.231\",\"10.90.0.130\",\"10.90.0.186\",\"10.90.0.197\",\"10.90.0.194\",\"10.90.0.170\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-020babcdefabcdefd\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"HIGH\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-40909 - perl, perl-Pod-Escapes and 2 more\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749795895.486}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-020babcdefabcdefd", + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.3", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "Thread creation while a directory handle is open does a fchdir, affecting other threads (race condition)", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "X86_64", + "NOARCH" + ], + "fixed_version": [ + "4:5.16.3-299.amzn2.0.3", + "1:1.04-299.amzn2.0.3" + ], + "name": [ + "perl", + "perl-Pod-Escapes", + "perl-libs", + "perl-macros" + ], + "version": [ + "5.16.3", + "1.04" + ] + }, + "related": { + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.3", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ] + }, + "resource": { + "id": "i-020babcdefabcdefd", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "Thread creation while a directory handle is open does a fchdir, affecting other threads (race condition)", + "id": "CVE-2025-40909", + "published_date": "2025-05-28T00:00:00.000Z", + "reference": [ + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-40909.json", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1007.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2879.html", + "https://alas.aws.amazon.com/ALAS-2025-1981.html" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 7.0, + "version": "3.1" + }, + "severity": "High", + "title": "CVE-2025-40909 - perl, perl-Pod-Escapes and 2 more" + } + }, + { + "@timestamp": "2025-06-13T06:24:55.486Z", + "aws": { + "inspector": { + "aws_account_id": "123451256789", + "description": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.", + "epss": { + "score": 5.1E-4 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123451256789:finding/5329abcdef0123456789abcdef21a4b8", + "first_observed_at": "2025-05-29T17:27:38.967Z", + "fix_available": "YES", + "inspector_score": 7.5, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "NVD", + "score": { + "source": "NVD", + "value": 7.5 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-13T06:24:55.486Z", + "package_nested": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:3.3.2299.0-1.amzn2", + "name": "amazon-ssm-agent", + "package_manager": "OS", + "release": "1.amzn2", + "remediation": "yum update amazon-ssm-agent", + "version": "3.3.1957.0" + }, + { + "epoch": 0, + "file_path": "vol-0718e90f4c9530260:/p1:usr/bin/kubelet", + "fixed_in_version": "0.35.0", + "name": "golang.org/x/crypto", + "package_manager": "GOBINARY", + "version": "v0.28.0" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 7.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "NVD", + "version": "3.1" + }, + { + "base_score": 7.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://nvd.nist.gov/vuln/detail/CVE-2025-22869", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-053.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2883.html", + "https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-053.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-056.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22869.json", + "https://alas.aws.amazon.com/AL2/ALASECS-2025-054.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-934.html", + "https://alas.aws.amazon.com/ALAS-2025-1982.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1013.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-914.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22869.json" + ], + "source": { + "url": { + "domain": "nvd.nist.gov", + "original": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869", + "path": "/vuln/detail/CVE-2025-22869", + "scheme": "https" + }, + "value": "NVD" + }, + "vendor": { + "created_at": "2025-02-26T08:14:24.000Z", + "severity": "HIGH", + "updated_at": "2025-05-01T19:28:20.000Z" + }, + "vulnerability_id": "CVE-2025-22869", + "vulnerable_packages": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:3.3.2299.0-1.amzn2", + "name": "amazon-ssm-agent", + "package_manager": "OS", + "release": "1.amzn2", + "remediation": "yum update amazon-ssm-agent", + "version": "3.3.1957.0" + }, + { + "epoch": 0, + "file_path": "vol-0718e90f4c9530260:/p1:usr/bin/kubelet", + "fixed_in_version": "0.35.0", + "name": "golang.org/x/crypto", + "package_manager": "GOBINARY", + "version": "v0.28.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.1", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-020babcdefabcdefd", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2025-22869 - amazon-ssm-agent, golang.org/x/crypto", + "transform_unique_id": "CVE-2025-22869|i-020babcdefabcdefd|{0=amazon-ssm-agent, 1=golang.org/x/crypto}|{0=3.3.1957.0, 1=v0.28.0}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-13T06:24:55.486Z" + } + }, + "cloud": { + "account": { + "id": "123451256789" + }, + "instance": { + "id": "i-020babcdefabcdefd" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-22869|i-020babcdefabcdefd|{0=amazon-ssm-agent, 1=golang.org/x/crypto}|{0=3.3.1957.0, 1=v0.28.0}|2025-06-13T06:24:55.486Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123451256789\",\"description\":\"SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.\",\"epss\":{\"score\":0.00051},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123451256789:finding/5329abcdef0123456789abcdef21a4b8\",\"firstObservedAt\":1748539658.967,\"fixAvailable\":\"YES\",\"inspectorScore\":7.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"NVD\",\"score\":7.5,\"scoreSource\":\"NVD\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"version\":\"3.1\"}},\"lastObservedAt\":1749795895.486,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":7.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"},{\"baseScore\":7.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://nvd.nist.gov/vuln/detail/CVE-2025-22869\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-053.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2883.html\",\"https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-053.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-056.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22869.json\",\"https://alas.aws.amazon.com/AL2/ALASECS-2025-054.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-934.html\",\"https://alas.aws.amazon.com/ALAS-2025-1982.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1013.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-914.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22869.json\"],\"relatedVulnerabilities\":[],\"source\":\"NVD\",\"sourceUrl\":\"https://nvd.nist.gov/vuln/detail/CVE-2025-22869\",\"vendorCreatedAt\":1740557664,\"vendorSeverity\":\"HIGH\",\"vendorUpdatedAt\":1746127700,\"vulnerabilityId\":\"CVE-2025-22869\",\"vulnerablePackages\":[{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:3.3.2299.0-1.amzn2\",\"name\":\"amazon-ssm-agent\",\"packageManager\":\"OS\",\"release\":\"1.amzn2\",\"remediation\":\"yum update amazon-ssm-agent\",\"version\":\"3.3.1957.0\"},{\"epoch\":0,\"filePath\":\"vol-0718e90f4c9530260:/p1:usr/bin/kubelet\",\"fixedInVersion\":\"0.35.0\",\"name\":\"golang.org/x/crypto\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.28.0\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.42\",\"10.90.0.88\",\"175.16.199.1\",\"10.90.0.57\",\"10.90.0.14\",\"10.90.0.204\",\"10.90.0.59\",\"10.90.0.38\",\"10.90.0.249\",\"10.90.0.147\",\"10.90.0.224\",\"10.90.0.203\",\"10.90.0.253\",\"10.90.0.231\",\"10.90.0.130\",\"10.90.0.186\",\"10.90.0.197\",\"10.90.0.194\",\"10.90.0.170\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-020babcdefabcdefd\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"HIGH\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-22869 - amazon-ssm-agent, golang.org/x/crypto\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749795895.486}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-020babcdefabcdefd", + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.1", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "X86_64" + ], + "fixed_version": [ + "0:3.3.2299.0-1.amzn2", + "0.35.0" + ], + "name": [ + "amazon-ssm-agent", + "golang.org/x/crypto" + ], + "path": [ + "vol-0718e90f4c9530260:/p1:usr/bin/kubelet" + ], + "version": [ + "3.3.1957.0", + "v0.28.0" + ] + }, + "related": { + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.1", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ] + }, + "resource": { + "id": "i-020babcdefabcdefd", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.", + "id": "CVE-2025-22869", + "published_date": "2025-02-26T08:14:24.000Z", + "reference": [ + "https://nvd.nist.gov/vuln/detail/CVE-2025-22869", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-053.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2883.html", + "https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2025-053.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-056.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22869.json", + "https://alas.aws.amazon.com/AL2/ALASECS-2025-054.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-934.html", + "https://alas.aws.amazon.com/ALAS-2025-1982.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1013.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-914.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22869.json" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 7.5, + "version": "3.1" + }, + "severity": "High", + "title": "CVE-2025-22869 - amazon-ssm-agent, golang.org/x/crypto" + } + }, + { + "@timestamp": "2025-06-13T06:24:55.486Z", + "aws": { + "inspector": { + "aws_account_id": "123451256789", + "description": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.", + "epss": { + "score": 2.3E-4 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123451256789:finding/52dcbabcdef0123456789abcdefd2b65", + "first_observed_at": "2025-05-30T18:25:34.399Z", + "fix_available": "YES", + "inspector_score": 2.9, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "AMAZON_CVE", + "score": { + "source": "AMAZON_CVE", + "value": 2.9 + }, + "scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-13T06:24:55.486Z", + "package_nested": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.9.1-6.amzn2.5.17", + "name": "libxml2", + "package_manager": "OS", + "release": "6.amzn2.5.16", + "remediation": "yum update libxml2", + "version": "2.9.1" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.9.1-6.amzn2.5.17", + "name": "libxml2-python", + "package_manager": "OS", + "release": "6.amzn2.5.16", + "remediation": "yum update libxml2-python", + "version": "2.9.1" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 2.9, + "scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 7.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2025-963.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2860.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32415.json" + ], + "related_vulnerabilities": [ + "ALAS2023-2025-963", + "ALAS2-2025-2860" + ], + "source": { + "url": { + "domain": "alas.aws.amazon.com", + "extension": "json", + "original": "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32415.json", + "path": "/cve/json/v1/CVE-2025-32415.json", + "scheme": "https" + }, + "value": "AMAZON_CVE" + }, + "vendor": { + "created_at": "2025-04-17T00:00:00.000Z", + "severity": "Low", + "updated_at": "2025-04-24T00:00:00.000Z" + }, + "vulnerability_id": "CVE-2025-32415", + "vulnerable_packages": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.9.1-6.amzn2.5.17", + "name": "libxml2", + "package_manager": "OS", + "release": "6.amzn2.5.16", + "remediation": "yum update libxml2", + "version": "2.9.1" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.9.1-6.amzn2.5.17", + "name": "libxml2-python", + "package_manager": "OS", + "release": "6.amzn2.5.16", + "remediation": "yum update libxml2-python", + "version": "2.9.1" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.6", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-020babcdefabcdefd", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "LOW", + "status": "ACTIVE", + "title": "CVE-2025-32415 - libxml2, libxml2-python", + "transform_unique_id": "CVE-2025-32415|i-020babcdefabcdefd|{0=libxml2, 1=libxml2-python}|{0=2.9.1}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-13T06:24:55.486Z" + } + }, + "cloud": { + "account": { + "id": "123451256789" + }, + "instance": { + "id": "i-020babcdefabcdefd" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-32415|i-020babcdefabcdefd|{0=libxml2, 1=libxml2-python}|{0=2.9.1}|2025-06-13T06:24:55.486Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123451256789\",\"description\":\"In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.\",\"epss\":{\"score\":0.00023},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123451256789:finding/52dcbabcdef0123456789abcdefd2b65\",\"firstObservedAt\":1748629534.399,\"fixAvailable\":\"YES\",\"inspectorScore\":2.9,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"AMAZON_CVE\",\"score\":2.9,\"scoreSource\":\"AMAZON_CVE\",\"scoringVector\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"version\":\"3.1\"}},\"lastObservedAt\":1749795895.486,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":2.9,\"scoringVector\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"source\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"baseScore\":7.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://alas.aws.amazon.com/AL2023/ALAS-2025-963.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2860.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32415.json\"],\"relatedVulnerabilities\":[\"ALAS2023-2025-963\",\"ALAS2-2025-2860\"],\"source\":\"AMAZON_CVE\",\"sourceUrl\":\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32415.json\",\"vendorCreatedAt\":1744848000,\"vendorSeverity\":\"Low\",\"vendorUpdatedAt\":1745452800,\"vulnerabilityId\":\"CVE-2025-32415\",\"vulnerablePackages\":[{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:2.9.1-6.amzn2.5.17\",\"name\":\"libxml2\",\"packageManager\":\"OS\",\"release\":\"6.amzn2.5.16\",\"remediation\":\"yum update libxml2\",\"version\":\"2.9.1\"},{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:2.9.1-6.amzn2.5.17\",\"name\":\"libxml2-python\",\"packageManager\":\"OS\",\"release\":\"6.amzn2.5.16\",\"remediation\":\"yum update libxml2-python\",\"version\":\"2.9.1\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.42\",\"10.90.0.88\",\"175.16.199.6\",\"10.90.0.57\",\"10.90.0.14\",\"10.90.0.204\",\"10.90.0.59\",\"10.90.0.38\",\"10.90.0.249\",\"10.90.0.147\",\"10.90.0.224\",\"10.90.0.203\",\"10.90.0.253\",\"10.90.0.231\",\"10.90.0.130\",\"10.90.0.186\",\"10.90.0.197\",\"10.90.0.194\",\"10.90.0.170\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-020babcdefabcdefd\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"LOW\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-32415 - libxml2, libxml2-python\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749795895.486}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-020babcdefabcdefd", + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.6", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "X86_64" + ], + "fixed_version": [ + "0:2.9.1-6.amzn2.5.17" + ], + "name": [ + "libxml2", + "libxml2-python" + ], + "version": [ + "2.9.1" + ] + }, + "related": { + "ip": [ + "10.90.0.42", + "10.90.0.88", + "175.16.199.6", + "10.90.0.57", + "10.90.0.14", + "10.90.0.204", + "10.90.0.59", + "10.90.0.38", + "10.90.0.249", + "10.90.0.147", + "10.90.0.224", + "10.90.0.203", + "10.90.0.253", + "10.90.0.231", + "10.90.0.130", + "10.90.0.186", + "10.90.0.197", + "10.90.0.194", + "10.90.0.170" + ] + }, + "resource": { + "id": "i-020babcdefabcdefd", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.", + "id": "CVE-2025-32415", + "published_date": "2025-04-17T00:00:00.000Z", + "reference": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2025-963.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2860.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-32415.json" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 2.9, + "version": "3.1" + }, + "severity": "Low", + "title": "CVE-2025-32415 - libxml2, libxml2-python" + } + }, + { + "@timestamp": "2025-06-10T03:24:45.775Z", + "aws": { + "inspector": { + "aws_account_id": "123451256789", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap", + "epss": { + "score": 2.1E-4 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123451256789:finding/64eabcdef0123456789abcdefb1234bb", + "first_observed_at": "2025-05-30T18:25:05.465Z", + "fix_available": "YES", + "inspector_score": 7.8, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "AMAZON_CVE", + "score": { + "source": "AMAZON_CVE", + "value": 7.8 + }, + "scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-10T03:24:45.775Z", + "package_nested": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:5.10.237-230.949.amzn2", + "name": "kernel", + "package_manager": "OS", + "release": "228.935.amzn2", + "remediation": "yum update kernel", + "version": "5.10.236" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:5.10.237-230.949.amzn2", + "name": "kernel-devel", + "package_manager": "OS", + "release": "228.935.amzn2", + "remediation": "yum update kernel-devel", + "version": "5.10.236" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:5.10.237-230.949.amzn2", + "name": "kernel-headers", + "package_manager": "OS", + "release": "228.935.amzn2", + "remediation": "yum update kernel-headers", + "version": "5.10.236" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 7.8, + "scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 7.8, + "scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://alas.aws.amazon.com/cve/json/v1/CVE-2022-49063.json", + "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2025-094.html" + ], + "related_vulnerabilities": [ + "ALAS2KERNEL-5.10-2025-094" + ], + "source": { + "url": { + "domain": "alas.aws.amazon.com", + "extension": "json", + "original": "https://alas.aws.amazon.com/cve/json/v1/CVE-2022-49063.json", + "path": "/cve/json/v1/CVE-2022-49063.json", + "scheme": "https" + }, + "value": "AMAZON_CVE" + }, + "vendor": { + "created_at": "2025-02-26T00:00:00.000Z", + "severity": "Important", + "updated_at": "2025-03-18T00:00:00.000Z" + }, + "vulnerability_id": "CVE-2022-49063", + "vulnerable_packages": [ + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:5.10.237-230.949.amzn2", + "name": "kernel", + "package_manager": "OS", + "release": "228.935.amzn2", + "remediation": "yum update kernel", + "version": "5.10.236" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:5.10.237-230.949.amzn2", + "name": "kernel-devel", + "package_manager": "OS", + "release": "228.935.amzn2", + "remediation": "yum update kernel-devel", + "version": "5.10.236" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:5.10.237-230.949.amzn2", + "name": "kernel-headers", + "package_manager": "OS", + "release": "228.935.amzn2", + "remediation": "yum update kernel-headers", + "version": "5.10.236" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.3", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-059abcdefabcdef1b", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2022-49063 - kernel, kernel-devel and 1 more", + "transform_unique_id": "CVE-2022-49063|i-059abcdefabcdef1b|{0=kernel, 1=kernel-devel, 2=kernel-headers}|{0=5.10.236}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-10T03:24:45.775Z" + } + }, + "cloud": { + "account": { + "id": "123451256789" + }, + "instance": { + "id": "i-059abcdefabcdef1b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2022-49063|i-059abcdefabcdef1b|{0=kernel, 1=kernel-devel, 2=kernel-headers}|{0=5.10.236}|2025-06-10T03:24:45.775Z", + "kind": "event", + "original": "{\"awsAccountId\":\"123451256789\",\"description\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap\",\"epss\":{\"score\":0.00021},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123451256789:finding/64eabcdef0123456789abcdefb1234bb\",\"firstObservedAt\":1748629505.465,\"fixAvailable\":\"YES\",\"inspectorScore\":7.8,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"AMAZON_CVE\",\"score\":7.8,\"scoreSource\":\"AMAZON_CVE\",\"scoringVector\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"version\":\"3.1\"}},\"lastObservedAt\":1749525885.775,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":7.8,\"scoringVector\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"source\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"baseScore\":7.8,\"scoringVector\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://alas.aws.amazon.com/cve/json/v1/CVE-2022-49063.json\",\"https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2025-094.html\"],\"relatedVulnerabilities\":[\"ALAS2KERNEL-5.10-2025-094\"],\"source\":\"AMAZON_CVE\",\"sourceUrl\":\"https://alas.aws.amazon.com/cve/json/v1/CVE-2022-49063.json\",\"vendorCreatedAt\":1740528000,\"vendorSeverity\":\"Important\",\"vendorUpdatedAt\":1742256000,\"vulnerabilityId\":\"CVE-2022-49063\",\"vulnerablePackages\":[{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:5.10.237-230.949.amzn2\",\"name\":\"kernel\",\"packageManager\":\"OS\",\"release\":\"228.935.amzn2\",\"remediation\":\"yum update kernel\",\"version\":\"5.10.236\"},{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:5.10.237-230.949.amzn2\",\"name\":\"kernel-devel\",\"packageManager\":\"OS\",\"release\":\"228.935.amzn2\",\"remediation\":\"yum update kernel-devel\",\"version\":\"5.10.236\"},{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:5.10.237-230.949.amzn2\",\"name\":\"kernel-headers\",\"packageManager\":\"OS\",\"release\":\"228.935.amzn2\",\"remediation\":\"yum update kernel-headers\",\"version\":\"5.10.236\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.87\",\"10.90.0.60\",\"10.90.0.30\",\"10.90.0.74\",\"10.90.0.206\",\"10.90.0.207\",\"10.90.0.37\",\"10.90.0.149\",\"10.90.0.235\",\"1.128.0.3\",\"10.90.0.225\",\"10.90.0.212\",\"10.90.0.199\",\"10.90.0.240\",\"10.90.0.164\",\"10.90.0.160\",\"10.90.0.182\",\"10.90.0.70\",\"10.90.0.180\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-059abcdefabcdef1b\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"HIGH\",\"status\":\"ACTIVE\",\"title\":\"CVE-2022-49063 - kernel, kernel-devel and 1 more\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749525885.775}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-059abcdefabcdef1b", + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.3", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "X86_64" + ], + "fixed_version": [ + "0:5.10.237-230.949.amzn2" + ], + "name": [ + "kernel", + "kernel-devel", + "kernel-headers" + ], + "version": [ + "5.10.236" + ] + }, + "related": { + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.3", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ] + }, + "resource": { + "id": "i-059abcdefabcdef1b", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap", + "id": "CVE-2022-49063", + "published_date": "2025-02-26T00:00:00.000Z", + "reference": [ + "https://alas.aws.amazon.com/cve/json/v1/CVE-2022-49063.json", + "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2025-094.html" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 7.8, + "version": "3.1" + }, + "severity": "High", + "title": "CVE-2022-49063 - kernel, kernel-devel and 1 more" + } + }, + { + "@timestamp": "2025-05-29T23:16:36.648Z", + "aws": { + "inspector": { + "aws_account_id": "123451256789", + "description": "On the instance i-059abcdefabcdef1b, the port range 31699-31699 is reachable from the InternetGateway igw-0e7abcdefabcdef3e from an attached ENI eni-03fabcdefabcdef8f.", + "finding_arn": "arn:aws:inspector2:us-east-2:123451256789:finding/6cde74bdabcdef0123456789abcdef05", + "first_observed_at": "2025-05-29T23:16:36.648Z", + "last_observed_at": "2025-05-29T23:16:36.648Z", + "network_reachability_details": { + "network_path": { + "steps": [ + { + "component": { + "arn": "arn:aws:ec2:us-east-2:123451256789:internet-gateway/igw-0e7abcdefabcdef3e", + "id": "igw-0e7abcdefabcdef3e", + "type": "AWS::EC2::InternetGateway" + } + }, + { + "component": { + "arn": "arn:aws:ec2:us-east-2:123451256789:network-acl/acl-0d9abcdefabcd0b", + "id": "acl-0d9abcdefabcd0b", + "type": "AWS::EC2::NetworkAcl" + } + }, + { + "component": { + "arn": "arn:aws:ec2:us-east-2:123451256789:security-group/sg-0ef5abcdefabcdef6", + "id": "sg-0ef5abcdefabcdef6", + "type": "AWS::EC2::SecurityGroup" + } + }, + { + "component": { + "arn": "arn:aws:ec2:us-east-2:123451256789:network-interface/eni-03fabcdefabcdef8f", + "id": "eni-03fabcdefabcdef8f", + "type": "AWS::EC2::NetworkInterface" + } + }, + { + "component": { + "arn": "arn:aws:ec2:us-east-2:123451256789:instance/i-059abcdefabcdef1b", + "id": "i-059abcdefabcdef1b", + "type": "AWS::EC2::Instance" + } + } + ] + }, + "open_port_range": { + "begin": 31699, + "end": 31699 + }, + "protocol": "TCP" + }, + "remediation": { + "recommendation": { + "text": "You can restrict access to your instance by modifying the Security Groups or ACLs in the network path." + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "iam_instance_profile_arn": "arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", + "ipv4_addresses": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.5", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "launched_at": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef11", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" + } + } + }, + "id": "i-059abcdefabcdef1b", + "partition": "aws", + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "INFORMATIONAL", + "status": "ACTIVE", + "title": "Port 31699 is reachable from an Internet Gateway - TCP", + "type": "NETWORK_REACHABILITY", + "updated_at": "2025-05-29T23:16:36.648Z" + } + }, + "cloud": { + "account": { + "id": "123451256789" + }, + "instance": { + "id": "i-059abcdefabcdef1b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "kind": "event", + "original": "{\"awsAccountId\":\"123451256789\",\"description\":\"On the instance i-059abcdefabcdef1b, the port range 31699-31699 is reachable from the InternetGateway igw-0e7abcdefabcdef3e from an attached ENI eni-03fabcdefabcdef8f.\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123451256789:finding/6cde74bdabcdef0123456789abcdef05\",\"firstObservedAt\":1748560596.648,\"lastObservedAt\":1748560596.648,\"networkReachabilityDetails\":{\"networkPath\":{\"steps\":[{\"componentArn\":\"arn:aws:ec2:us-east-2:123451256789:internet-gateway/igw-0e7abcdefabcdef3e\",\"componentId\":\"igw-0e7abcdefabcdef3e\",\"componentType\":\"AWS::EC2::InternetGateway\"},{\"componentArn\":\"arn:aws:ec2:us-east-2:123451256789:network-acl/acl-0d9abcdefabcd0b\",\"componentId\":\"acl-0d9abcdefabcd0b\",\"componentType\":\"AWS::EC2::NetworkAcl\"},{\"componentArn\":\"arn:aws:ec2:us-east-2:123451256789:security-group/sg-0ef5abcdefabcdef6\",\"componentId\":\"sg-0ef5abcdefabcdef6\",\"componentType\":\"AWS::EC2::SecurityGroup\"},{\"componentArn\":\"arn:aws:ec2:us-east-2:123451256789:network-interface/eni-03fabcdefabcdef8f\",\"componentId\":\"eni-03fabcdefabcdef8f\",\"componentType\":\"AWS::EC2::NetworkInterface\"},{\"componentArn\":\"arn:aws:ec2:us-east-2:123451256789:instance/i-059abcdefabcdef1b\",\"componentId\":\"i-059abcdefabcdef1b\",\"componentType\":\"AWS::EC2::Instance\"}]},\"openPortRange\":{\"begin\":31699,\"end\":31699},\"protocol\":\"TCP\"},\"remediation\":{\"recommendation\":{\"text\":\"You can restrict access to your instance by modifying the Security Groups or ACLs in the network path.\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123451256789:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.0.87\",\"10.90.0.60\",\"10.90.0.30\",\"10.90.0.74\",\"10.90.0.206\",\"10.90.0.207\",\"10.90.0.37\",\"10.90.0.149\",\"10.90.0.235\",\"1.128.0.5\",\"10.90.0.225\",\"10.90.0.212\",\"10.90.0.199\",\"10.90.0.240\",\"10.90.0.164\",\"10.90.0.160\",\"10.90.0.182\",\"10.90.0.70\",\"10.90.0.180\"],\"ipV6Addresses\":[],\"launchedAt\":1748534680,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef11\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-059abcdefabcdef1b\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"INFORMATIONAL\",\"status\":\"ACTIVE\",\"title\":\"Port 31699 is reachable from an Internet Gateway - TCP\",\"type\":\"NETWORK_REACHABILITY\",\"updatedAt\":1748560596.648}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-059abcdefabcdef1b", + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.5", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, + "message": "On the instance i-059abcdefabcdef1b, the port range 31699-31699 is reachable from the InternetGateway igw-0e7abcdefabcdef3e from an attached ENI eni-03fabcdefabcdef8f.", + "network": { + "transport": "tcp" + }, + "observer": { + "vendor": "Amazon Inspector" + }, + "related": { + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "1.128.0.5", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ] + }, + "resource": { + "id": "i-059abcdefabcdef1b", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "On the instance i-059abcdefabcdef1b, the port range 31699-31699 is reachable from the InternetGateway igw-0e7abcdefabcdef3e from an attached ENI eni-03fabcdefabcdef8f.", + "scanner": { + "vendor": "Amazon Inspector" + }, + "severity": "Low", + "title": "Port 31699 is reachable from an Internet Gateway - TCP" + } + }, + { + "@timestamp": "2025-06-18T11:30:53.082Z", + "aws": { + "inspector": { + "aws_account_id": "701234567890", + "description": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.", + "epss": { + "score": 0.00112 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:eu-west-1:701234567890:finding/2abcdefabcdefabcdef01234567896cb", + "first_observed_at": "2025-06-05T03:29:23.084Z", + "fix_available": "YES", + "inspector_score": 9.8, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "NVD", + "score": { + "source": "NVD", + "value": 9.8 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-18T11:30:53.082Z", + "package_nested": [ + { + "epoch": 0, + "file_path": "vol-052abcdefabcdef9f:/p1:home/ubuntu/elastic-agent-8.17.3-linux-x86_64/data/elastic-agent-0efe49/components/cloudbeat", + "fixed_in_version": "5.13.0", + "name": "github.com/go-git/go-git/v5", + "package_manager": "GOBINARY", + "version": "v5.12.0" + }, + { + "epoch": 0, + "file_path": "vol-abcdef0123456789f:/p1:opt/Elastic/Agent/data/elastic-agent-8.17.3-0efe49/components/cloudbeat", + "fixed_in_version": "5.13.0", + "name": "github.com/go-git/go-git/v5", + "package_manager": "GOBINARY", + "version": "v5.12.0" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 9.8, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://nvd.nist.gov/vuln/detail/CVE-2025-21613" + ], + "source": { + "url": { + "domain": "nvd.nist.gov", + "original": "https://nvd.nist.gov/vuln/detail/CVE-2025-21613", + "path": "/vuln/detail/CVE-2025-21613", + "scheme": "https" + }, + "value": "NVD" + }, + "vendor": { + "created_at": "2025-01-06T17:15:47.000Z", + "severity": "CRITICAL", + "updated_at": "2025-04-17T02:33:57.000Z" + }, + "vulnerability_id": "CVE-2025-21613", + "vulnerable_packages": [ + { + "epoch": 0, + "file_path": "vol-052abcdefabcdef9f:/p1:home/ubuntu/elastic-agent-8.17.3-linux-x86_64/data/elastic-agent-0efe49/components/cloudbeat", + "fixed_in_version": "5.13.0", + "name": "github.com/go-git/go-git/v5", + "package_manager": "GOBINARY", + "version": "v5.12.0" + }, + { + "epoch": 0, + "file_path": "vol-abcdef0123456789f:/p1:opt/Elastic/Agent/data/elastic-agent-8.17.3-0efe49/components/cloudbeat", + "fixed_in_version": "5.13.0", + "name": "github.com/go-git/go-git/v5", + "package_manager": "GOBINARY", + "version": "v5.12.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ec2_instance": { + "image_id": "ami-0abcd0123456789d1", + "ipv4_addresses": [ + "1.128.0.1", + "175.16.199.2" + ], + "key_name": "1234-abcd-test", + "launched_at": "2025-03-07T14:26:32.000Z", + "platform": "UBUNTU_24_04", + "subnet_id": "subnet-babcdefd", + "type": "c5.4xlarge", + "vpc_id": "vpc-abcdef01" + } + } + }, + "id": "i-abcdef0123456789d", + "partition": "aws", + "region": "eu-west-1", + "tags": { + "Name": "long-running-env-logs", + "division": "engineering", + "org": "security", + "project": "testabc", + "team": "cloud-security-posture" + }, + "type": "AWS_EC2_INSTANCE" + } + ], + "severity": "CRITICAL", + "status": "ACTIVE", + "title": "CVE-2025-21613 - github.com/go-git/go-git/v5, github.com/go-git/go-git/v5", + "transform_unique_id": "CVE-2025-21613|i-abcdef0123456789d|{0=github.com/go-git/go-git/v5}|{0=v5.12.0}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-18T11:30:53.082Z" + } + }, + "cloud": { + "account": { + "id": "701234567890" + }, + "instance": { + "id": "i-abcdef0123456789d" + }, + "machine": { + "type": "c5.4xlarge" + }, + "provider": "aws", + "region": "eu-west-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-21613|i-abcdef0123456789d|{0=github.com/go-git/go-git/v5}|{0=v5.12.0}|2025-06-18T11:30:53.082Z", + "kind": "event", + "original": "{\"awsAccountId\":\"701234567890\",\"description\":\"go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.\",\"epss\":{\"score\":0.00112},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:eu-west-1:701234567890:finding/2abcdefabcdefabcdef01234567896cb\",\"firstObservedAt\":1749094163.084,\"fixAvailable\":\"YES\",\"inspectorScore\":9.8,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"NVD\",\"score\":9.8,\"scoreSource\":\"NVD\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"version\":\"3.1\"}},\"lastObservedAt\":1750246253.082,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":9.8,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://nvd.nist.gov/vuln/detail/CVE-2025-21613\"],\"relatedVulnerabilities\":[],\"source\":\"NVD\",\"sourceUrl\":\"https://nvd.nist.gov/vuln/detail/CVE-2025-21613\",\"vendorCreatedAt\":1736183747,\"vendorSeverity\":\"CRITICAL\",\"vendorUpdatedAt\":1744857237,\"vulnerabilityId\":\"CVE-2025-21613\",\"vulnerablePackages\":[{\"epoch\":0,\"filePath\":\"vol-052abcdefabcdef9f:/p1:home/ubuntu/elastic-agent-8.17.3-linux-x86_64/data/elastic-agent-0efe49/components/cloudbeat\",\"fixedInVersion\":\"5.13.0\",\"name\":\"github.com/go-git/go-git/v5\",\"packageManager\":\"GOBINARY\",\"version\":\"v5.12.0\"},{\"epoch\":0,\"filePath\":\"vol-abcdef0123456789f:/p1:opt/Elastic/Agent/data/elastic-agent-8.17.3-0efe49/components/cloudbeat\",\"fixedInVersion\":\"5.13.0\",\"name\":\"github.com/go-git/go-git/v5\",\"packageManager\":\"GOBINARY\",\"version\":\"v5.12.0\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"imageId\":\"ami-0abcd0123456789d1\",\"ipV4Addresses\":[\"1.128.0.1\",\"175.16.199.2\"],\"ipV6Addresses\":[],\"keyName\":\"1234-abcd-test\",\"launchedAt\":1741357592,\"platform\":\"UBUNTU_24_04\",\"subnetId\":\"subnet-babcdefd\",\"type\":\"c5.4xlarge\",\"vpcId\":\"vpc-abcdef01\"}},\"id\":\"i-abcdef0123456789d\",\"partition\":\"aws\",\"region\":\"eu-west-1\",\"tags\":{\"Name\":\"long-running-env-logs\",\"division\":\"engineering\",\"org\":\"security\",\"project\":\"testabc\",\"team\":\"cloud-security-posture\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"CRITICAL\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-21613 - github.com/go-git/go-git/v5, github.com/go-git/go-git/v5\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1750246253.082}", + "type": [ + "info" + ] + }, + "host": { + "id": "i-abcdef0123456789d", + "ip": [ + "1.128.0.1", + "175.16.199.2" + ], + "name": "long-running-env-logs", + "os": { + "platform": "UBUNTU_24_04" + }, + "type": "c5.4xlarge" + }, + "message": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "fixed_version": [ + "5.13.0" + ], + "name": [ + "github.com/go-git/go-git/v5" + ], + "path": [ + "vol-052abcdefabcdef9f:/p1:home/ubuntu/elastic-agent-8.17.3-linux-x86_64/data/elastic-agent-0efe49/components/cloudbeat", + "vol-abcdef0123456789f:/p1:opt/Elastic/Agent/data/elastic-agent-8.17.3-0efe49/components/cloudbeat" + ], + "version": [ + "v5.12.0" + ] + }, + "related": { + "ip": [ + "1.128.0.1", + "175.16.199.2" + ] + }, + "resource": { + "id": "i-abcdef0123456789d", + "name": "long-running-env-logs", + "type": "AWS_EC2_INSTANCE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.", + "id": "CVE-2025-21613", + "published_date": "2025-01-06T17:15:47.000Z", + "reference": [ + "https://nvd.nist.gov/vuln/detail/CVE-2025-21613" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "title": "CVE-2025-21613 - github.com/go-git/go-git/v5, github.com/go-git/go-git/v5" + } + }, + { + "@timestamp": "2025-06-26T12:42:32.515Z", + "aws": { + "inspector": { + "aws_account_id": "012345678989", + "description": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.", + "epss": { + "score": 0.0012 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-1:012345678989:finding/194f71676abcdefabcdef01234567895", + "first_observed_at": "2025-06-13T08:46:12.050Z", + "fix_available": "YES", + "inspector_score": 7.5, + "inspector_score_details": { + "adjusted_cvss": { + "cvss_source": "AMAZON_CVE", + "score": { + "source": "AMAZON_CVE", + "value": 7.5 + }, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "version": "3.1" + } + }, + "last_observed_at": "2025-06-26T12:42:32.515Z", + "package_nested": [ + { + "arch": "NOARCH", + "epoch": 0, + "fixed_in_version": "0:59.6.0-2.amzn2023.0.6", + "name": "python3-setuptools", + "package_manager": "OS", + "release": "2.amzn2023.0.5", + "remediation": "sudo dnf check-update", + "source_layer_hash": "sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80", + "version": "59.6.0" + }, + { + "arch": "NOARCH", + "epoch": 0, + "fixed_in_version": "0:59.6.0-2.amzn2023.0.6", + "name": "python3-setuptools-wheel", + "package_manager": "OS", + "release": "2.amzn2023.0.5", + "remediation": "sudo dnf check-update", + "source_layer_hash": "sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80", + "version": "59.6.0" + } + ], + "package_vulnerability_details": { + "cvss": [ + { + "base_score": 7.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 8.8, + "scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "reference_urls": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1005.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2877.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1003.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1004.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2876.html" + ], + "related_vulnerabilities": [ + "ALAS2-2025-2877", + "ALAS2-2025-2876", + "ALAS2023-2025-1004", + "ALAS2023-2025-1005", + "ALAS2023-2025-1003" + ], + "source": { + "url": { + "domain": "alas.aws.amazon.com", + "extension": "json", + "original": "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json", + "path": "/cve/json/v1/CVE-2025-47273.json", + "scheme": "https" + }, + "value": "AMAZON_CVE" + }, + "vendor": { + "created_at": "2025-05-17T00:00:00.000Z", + "severity": "Important", + "updated_at": "2025-06-02T00:00:00.000Z" + }, + "vulnerability_id": "CVE-2025-47273", + "vulnerable_packages": [ + { + "arch": "NOARCH", + "epoch": 0, + "fixed_in_version": "0:59.6.0-2.amzn2023.0.6", + "name": "python3-setuptools", + "package_manager": "OS", + "release": "2.amzn2023.0.5", + "remediation": "sudo dnf check-update", + "source_layer_hash": "sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80", + "version": "59.6.0" + }, + { + "arch": "NOARCH", + "epoch": 0, + "fixed_in_version": "0:59.6.0-2.amzn2023.0.6", + "name": "python3-setuptools-wheel", + "package_manager": "OS", + "release": "2.amzn2023.0.5", + "remediation": "sudo dnf check-update", + "source_layer_hash": "sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80", + "version": "59.6.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "aws": { + "ecr_container_image": { + "architecture": "amd64", + "image": { + "hash": "sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "tags": [ + "latest" + ] + }, + "platform": "AMAZON_LINUX_2023", + "pushed_at": "2025-04-17T12:24:47.924Z", + "registry": "012345678989", + "repository_name": "orestis-onweek-2" + } + } + }, + "id": "arn:aws:ecr:us-east-1:012345678989:repository/orestis-onweek-2/sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "partition": "aws", + "region": "us-east-1", + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2025-47273 - python3-setuptools, python3-setuptools-wheel", + "transform_unique_id": "CVE-2025-47273|arn:aws:ecr:us-east-1:012345678989:repository/orestis-onweek-2/sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824|{0=python3-setuptools, 1=python3-setuptools-wheel}|{0=59.6.0}", + "type": "PACKAGE_VULNERABILITY", + "updated_at": "2025-06-26T12:42:32.515Z" + } + }, + "cloud": { + "account": { + "id": "012345678989" + }, + "provider": "aws", + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-47273|arn:aws:ecr:us-east-1:012345678989:repository/orestis-onweek-2/sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824|{0=python3-setuptools, 1=python3-setuptools-wheel}|{0=59.6.0}|2025-06-26T12:42:32.515Z", + "kind": "event", + "original": "{\"awsAccountId\":\"012345678989\",\"description\":\"setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.\",\"epss\":{\"score\":0.0012},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-1:012345678989:finding/194f71676abcdefabcdef01234567895\",\"firstObservedAt\":1749804372.05,\"fixAvailable\":\"YES\",\"inspectorScore\":7.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"AMAZON_CVE\",\"score\":7.5,\"scoreSource\":\"AMAZON_CVE\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"version\":\"3.1\"}},\"lastObservedAt\":1750941752.515,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":7.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"source\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"baseScore\":8.8,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1005.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2877.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1003.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1004.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2876.html\"],\"relatedVulnerabilities\":[\"ALAS2-2025-2877\",\"ALAS2-2025-2876\",\"ALAS2023-2025-1004\",\"ALAS2023-2025-1005\",\"ALAS2023-2025-1003\"],\"source\":\"AMAZON_CVE\",\"sourceUrl\":\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json\",\"vendorCreatedAt\":1747440000,\"vendorSeverity\":\"Important\",\"vendorUpdatedAt\":1748822400,\"vulnerabilityId\":\"CVE-2025-47273\",\"vulnerablePackages\":[{\"arch\":\"NOARCH\",\"epoch\":0,\"fixedInVersion\":\"0:59.6.0-2.amzn2023.0.6\",\"name\":\"python3-setuptools\",\"packageManager\":\"OS\",\"release\":\"2.amzn2023.0.5\",\"remediation\":\"sudo dnf check-update\",\"sourceLayerHash\":\"sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80\",\"version\":\"59.6.0\"},{\"arch\":\"NOARCH\",\"epoch\":0,\"fixedInVersion\":\"0:59.6.0-2.amzn2023.0.6\",\"name\":\"python3-setuptools-wheel\",\"packageManager\":\"OS\",\"release\":\"2.amzn2023.0.5\",\"remediation\":\"sudo dnf check-update\",\"sourceLayerHash\":\"sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80\",\"version\":\"59.6.0\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEcrContainerImage\":{\"architecture\":\"amd64\",\"imageHash\":\"sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"imageTags\":[\"latest\"],\"platform\":\"AMAZON_LINUX_2023\",\"pushedAt\":1744892687.924,\"registry\":\"012345678989\",\"repositoryName\":\"orestis-onweek-2\"}},\"id\":\"arn:aws:ecr:us-east-1:012345678989:repository/orestis-onweek-2/sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"partition\":\"aws\",\"region\":\"us-east-1\",\"tags\":{},\"type\":\"AWS_ECR_CONTAINER_IMAGE\"}],\"severity\":\"HIGH\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-47273 - python3-setuptools, python3-setuptools-wheel\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1750941752.515}", + "type": [ + "info" + ] + }, + "message": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.", + "observer": { + "vendor": "Amazon Inspector" + }, + "package": { + "architecture": [ + "NOARCH" + ], + "fixed_version": [ + "0:59.6.0-2.amzn2023.0.6" + ], + "name": [ + "python3-setuptools", + "python3-setuptools-wheel" + ], + "version": [ + "59.6.0" + ] + }, + "related": { + "hash": [ + "sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80", + "sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" + ] + }, + "resource": { + "id": "arn:aws:ecr:us-east-1:012345678989:repository/orestis-onweek-2/sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", + "type": "AWS_ECR_CONTAINER_IMAGE" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "description": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.", + "id": "CVE-2025-47273", + "published_date": "2025-05-17T00:00:00.000Z", + "reference": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1005.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2877.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1003.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-1004.html", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2876.html" + ], + "scanner": { + "vendor": "Amazon Inspector" + }, + "score": { + "base": 7.5, + "version": "3.1" }, - "severity": "basic" + "severity": "High", + "title": "CVE-2025-47273 - python3-setuptools, python3-setuptools-wheel" } } ] -} \ No newline at end of file +} diff --git a/packages/aws/data_stream/inspector/_dev/test/system/test-default-config.yml b/packages/aws/data_stream/inspector/_dev/test/system/test-default-config.yml index d0f8cb54039..72e7c07455d 100644 --- a/packages/aws/data_stream/inspector/_dev/test/system/test-default-config.yml +++ b/packages/aws/data_stream/inspector/_dev/test/system/test-default-config.yml @@ -1,7 +1,4 @@ input: httpjson -skip: - reason: "Support backward compatibility of Current AWS package." - link: https://github.com/elastic/integrations/issues/3695 service: inspector vars: secret_access_key: xxxx @@ -15,22 +12,20 @@ data_stream: certificate_authorities: - | -----BEGIN CERTIFICATE----- - MIIDUDCCAjgCCQCsyG2Sw6iMvzANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJY - WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh - bnkgTHRkMSYwJAYDVQQDDB1pbnNwZWN0b3IyLnh4eHguYW1hem9uYXdzLmNvbTAe - Fw0yMjA5MTkxMTE3NDlaFw0yMzA5MTkxMTE3NDlaMGoxCzAJBgNVBAYTAlhYMRUw - EwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBM - dGQxJjAkBgNVBAMMHWluc3BlY3RvcjIueHh4eC5hbWF6b25hd3MuY29tMIIBIjAN - BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs65SHVvohc00blWOWaZqqunMMw9G - nZuhvWMvUdkk2FZE4nmkU0QB1VhewV7Yesfbelhq5OYj6NE2hEl0znSUju8CbQHy - LfXH+Wp6zBe7o1lVNXVcb7PHwCx/nThXsohEHCHYRu8d9APbY7doUW0amFQOSHCD - jbqmr1lcOsZ7C57X4A5iQyESaP3ASzYoTitSbsWQWWETq5Kq7Bl2Vm5Pk8p5fg2u - 7cSyY7XtRXxlKW0adAbaOIBe7+JZr5nukUjGWOL139K1Zl/YO/1lxDJvZLwKOffM - zLTX111B0GX9Lmtk/8A0A6yzuL8u5byKEIGCwD/wW30+763y8TgFaWh0nwIDAQAB - MA0GCSqGSIb3DQEBCwUAA4IBAQBY4KpmVFmCneRe0vtlx6FA0Pa2N4oAVgQmNs0r - tySb22AB8c5FBh0KxDYTNRLzVRPOeFxEboDbVVMCIhGHem/EqbxVRiQPP5OJVjqG - VSAhQ9maRxEnPOJ2BxMGm38etP1+TJkbPgIYmZTSswEODYksnqiC6YeoLVMnWDeX - o6y1gqSKdndUHf4FO/RxZfrrXv85GwwpgnNGCjv5o09VxlO1yzXDNlml6KCarWuc - DTMzUkky77XmBVrLVd+YF3jmL9frGB0s6Kud5E691gl9M3hmXJwPnzrEUgUNqrz9 - /eb6vyOPH3qLNpMfE2X12xNJ5cZ5CN7rT37b5Mce4QPNsX2M + MIIC1zCCAb8CFBhBTt6yEnLtREKHvN40F2qLleIdMA0GCSqGSIb3DQEBCwUAMCgx + JjAkBgNVBAMMHWluc3BlY3RvcjIueHh4eC5hbWF6b25hd3MuY29tMB4XDTI1MDYy + NDA5MTQxMloXDTM1MDYyMjA5MTQxMlowKDEmMCQGA1UEAwwdaW5zcGVjdG9yMi54 + eHh4LmFtYXpvbmF3cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB + AQCbq5ChvdjWiM2/tpew4HATwk9KBXB2J4s70DaqxWJwLKzUYEGWXbujk9ONptE9 + 7gkaQEGILWB8vjF47499a0WRt6LeC5KYjH5+Z3MoD+0Eixo2j6rh+jyxTBb64QR8 + GUT3oo0cEDOTXFbVF5ooS1Sber2S5Ww5Edm8jKSYuJ8cJxJDghg9Np4sZZ6JBFIq + kftDoLCeCZf4W5u8n9/386g47TzgI7ojGEER3m2TXOPVIA7XooeGisqUiOpTPHWA + 0tctkSdjow+JJQ7oUi5NJJKdJ2cPbpA11kv9/9TYIpKZf+jUu8ZxTwAwbTjPLbyo + qFzle0BYcc4j2zOdKuv4OkPXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACC7nvmw + +4cR7DslQ6pGRIHbB23yK7ro3cFWqgcxsYg3ntbAJitgKuROWi/rv2vhOB0SfuHT + 9Oc/jcOIilgGni+mfOSTySIYT7B4OeYDjIonYzBsykSWjbt+QtHjJlRwNhZm38ws + fG/nIjC69GCIS3BUqo9dxgnyCdHn+hO3rO8mE58MKVA/iq7uDuFIdLrU+xY1LFUT + yb9ZRr3XMjgNFiC3LWnQDycxecFZo4OJcRETyGuwL+HcOybcO00ZOoGHMcemVjTA + JPlgUImmsN+vezO92i2adepyb75vEbEbILQyz9G1WCg6MA9UWrdT9LtwOxq2+pCt + KsEFaVXtUm4/YSo= -----END CERTIFICATE----- diff --git a/packages/aws/data_stream/inspector/agent/stream/httpjson.yml.hbs b/packages/aws/data_stream/inspector/agent/stream/httpjson.yml.hbs index 27b3a67fe18..a9d60cf4efc 100644 --- a/packages/aws/data_stream/inspector/agent/stream/httpjson.yml.hbs +++ b/packages/aws/data_stream/inspector/agent/stream/httpjson.yml.hbs @@ -1,9 +1,9 @@ config_version: 2 interval: {{interval}} -{{#if enable_request_tracer}} -request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" -request.tracer.maxbackups: 5 -{{/if}} +request.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/httpjson/http-request-trace-*.ndjson" + maxbackups: 5 request.timeout: {{http_client_timeout}} request.method: POST diff --git a/packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml index 2e05e5a36ce..769eb4cf69e 100644 --- a/packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml @@ -1,36 +1,82 @@ --- -description: Pipeline for processing AWS Inspector Findings logs. +description: Pipeline for processing Amazon Inspector Findings logs. processors: + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. - set: field: ecs.version + tag: set_ecs_version value: '8.11.0' - set: field: event.kind + tag: set_event_kind value: event - - set: + - append: + field: event.category + tag: append_vulnerability_into_event_category + value: vulnerability + - append: field: event.type - value: [info] + tag: append_info_into_event_type + value: info + - set: + field: observer.vendor + tag: set_observer_vendor + value: Amazon Inspector + - set: + field: vulnerability.scanner.vendor + tag: set_vulnerability_scanner_vendor + value: Amazon Inspector + # Remove cloud.* fields populated by beat. + # These fields correspond to EA rather than AWS hosts and could be misleading. + - remove: + field: cloud + tag: remove_cloud_fields + ignore_missing: true + description: Remove ECS cloud fields that are populated from EA metadata. + - set: + field: cloud.provider + tag: set_cloud_provider + value: aws - rename: field: message + tag: rename_message_to_event_original target_field: event.original ignore_missing: true - if: 'ctx.event?.original == null' + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null - remove: field: message + tag: remove_message ignore_missing: true - if: 'ctx.event?.original != null' - description: 'The `message` field is no longer required if the document has an `event.original` field.' + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null - json: field: event.original + tag: json_event_original target_field: json - ignore_failure: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - fingerprint: fields: - event.original + tag: fingerprint_inspector target_field: _id ignore_missing: true - date: field: json.updatedAt + tag: date_updatedAt if: ctx.json?.updatedAt != null && ctx.json.updatedAt != '' target_field: aws.inspector.updated_at formats: @@ -40,64 +86,212 @@ processors: on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: '@timestamp' + tag: set_@timestamp_from_updated_at copy_from: aws.inspector.updated_at - ignore_failure: true + ignore_empty_value: true - rename: field: json.description + tag: rename_description target_field: aws.inspector.description ignore_missing: true - set: field: message + tag: set_message_from_description copy_from: aws.inspector.description - ignore_failure: true + ignore_empty_value: true + - set: + field: vulnerability.description + tag: set_vulnerability_description + copy_from: aws.inspector.description + ignore_empty_value: true - rename: field: json.awsAccountId + tag: rename_awsAccountId target_field: aws.inspector.aws_account_id ignore_missing: true - set: field: cloud.account.id + tag: set_cloud_account_id_from_aws_account_id copy_from: aws.inspector.aws_account_id - ignore_failure: true + ignore_empty_value: true - rename: field: json.severity + tag: rename_severity target_field: aws.inspector.severity ignore_missing: true + - script: + description: Map vulnerability.severity to CVSS standard + tag: script_to_map_severity_to_CVSS + lang: painless + if: ctx.aws?.inspector?.severity != null + source: > + String severity = ctx.aws.inspector.severity.toLowerCase(); + if (severity == 'untriaged') { + ctx.vulnerability.put('severity', 'Unknown'); + } else if (severity == 'informational') { + ctx.vulnerability.put('severity', 'Low'); + } else if (severity == 'low') { + ctx.vulnerability.put('severity', 'Low'); + } else if (severity == 'medium') { + ctx.vulnerability.put('severity', 'Medium'); + } else if (severity == 'high') { + ctx.vulnerability.put('severity', 'High'); + } else if (severity == 'critical') { + ctx.vulnerability.put('severity', 'Critical'); + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.networkReachabilityDetails.protocol + tag: rename_networkReachabilityDetails_protocol target_field: aws.inspector.network_reachability_details.protocol ignore_missing: true - set: field: network.transport + tag: set_network_transport_from_network_reachability_details_protocol copy_from: aws.inspector.network_reachability_details.protocol - ignore_failure: true + ignore_empty_value: true - lowercase: field: network.transport + tag: lowercase_network_transport + ignore_missing: true + - rename: + field: json.codeVulnerabilityDetails.cwes + tag: rename_codeVulnerabilityDetails_cwes + target_field: aws.inspector.code_vulnerability_details.cwes + ignore_missing: true + - rename: + field: json.codeVulnerabilityDetails.detectorId + tag: rename_codeVulnerabilityDetails_detectorId + target_field: aws.inspector.code_vulnerability_details.detector_id + ignore_missing: true + - rename: + field: json.codeVulnerabilityDetails.detectorName + tag: rename_codeVulnerabilityDetails_detectorName + target_field: aws.inspector.code_vulnerability_details.detector_name + ignore_missing: true + - rename: + field: json.codeVulnerabilityDetails.detectorTags + tag: rename_codeVulnerabilityDetails_detectorTags + target_field: aws.inspector.code_vulnerability_details.detector_tags + ignore_missing: true + - convert: + field: json.codeVulnerabilityDetails.filePath.endLine + tag: convert_codeVulnerabilityDetails_filePath_endLine_to_long + type: long + target_field: aws.inspector.code_vulnerability_details.file_path.end_line + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.codeVulnerabilityDetails.filePath.fileName + tag: rename_codeVulnerabilityDetails_filePath_fileName + target_field: aws.inspector.code_vulnerability_details.file_path.name + ignore_missing: true + - rename: + field: json.codeVulnerabilityDetails.filePath.filePath + tag: rename_codeVulnerabilityDetails_filePath_filePath + target_field: aws.inspector.code_vulnerability_details.file_path.path + ignore_missing: true + - convert: + field: json.codeVulnerabilityDetails.filePath.startLine + tag: convert_codeVulnerabilityDetails_filePath_startLine_to_long + type: long + target_field: aws.inspector.code_vulnerability_details.file_path.start_line + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.codeVulnerabilityDetails.referenceUrls + tag: rename_codeVulnerabilityDetails_referenceUrls + target_field: aws.inspector.code_vulnerability_details.reference_urls + ignore_missing: true + - rename: + field: json.codeVulnerabilityDetails.ruleId + tag: rename_codeVulnerabilityDetails_ruleId + target_field: aws.inspector.code_vulnerability_details.rule_id + ignore_missing: true + - rename: + field: json.codeVulnerabilityDetails.sourceLambdaLayerArn + tag: rename_codeVulnerabilityDetails_sourceLambdaLayerArn + target_field: aws.inspector.code_vulnerability_details.source_lambda_layer_arn + ignore_missing: true + - convert: + field: json.epss.score + tag: convert_epss_score_to_double + type: double + target_field: aws.inspector.epss.score + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.exploitabilityDetails.lastKnownExploitAt + tag: date_exploitabilityDetails_lastKnownExploitAt + if: ctx.json?.exploitabilityDetails?.lastKnownExploitAt != null && ctx.json.exploitabilityDetails.lastKnownExploitAt != '' + target_field: aws.inspector.exploitability_details.last_known_exploit_at + formats: + - ISO8601 + - UNIX + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.exploitAvailable + tag: rename_exploitAvailable + target_field: aws.inspector.exploit_available ignore_missing: true - rename: field: json.packageVulnerabilityDetails.referenceUrls + tag: rename_packageVulnerabilityDetails_referenceUrls target_field: aws.inspector.package_vulnerability_details.reference_urls ignore_missing: true - set: field: vulnerability.reference + tag: set_vulnerability_reference_from_package_vulnerability_details_reference_urls copy_from: aws.inspector.package_vulnerability_details.reference_urls - ignore_failure: true + ignore_empty_value: true - rename: field: json.packageVulnerabilityDetails.vulnerabilityId + tag: rename_packageVulnerabilityDetails_vulnerabilityId target_field: aws.inspector.package_vulnerability_details.vulnerability_id ignore_missing: true - set: field: vulnerability.id + tag: set_vulnerability_id_from_package_vulnerability_details_vulnerability_id + copy_from: aws.inspector.package_vulnerability_details.vulnerability_id + ignore_empty_value: true + - set: + field: vulnerability.cve + tag: set_vulnerability_cve_from_package_vulnerability_details_vulnerability_id copy_from: aws.inspector.package_vulnerability_details.vulnerability_id - ignore_failure: true + ignore_empty_value: true + if: ctx.aws?.inspector?.type == 'PACKAGE_VULNERABILITY' && ctx.aws.inspector.package_vulnerability_details?.vulnerability_id?.startsWith('CVE') == true + - set: + field: vulnerability.enumeration + tag: set_vulnerability_enumeration + value: CVE + if: ctx.vulnerability?.cve != null - rename: field: json.findingArn + tag: rename_findingArn target_field: aws.inspector.finding_arn ignore_missing: true - date: field: json.firstObservedAt + tag: date_firstObservedAt if: ctx.json?.firstObservedAt != null && ctx.json.firstObservedAt != '' target_field: aws.inspector.first_observed_at formats: @@ -107,51 +301,75 @@ processors: on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.fixAvailable + tag: rename_fixAvailable target_field: aws.inspector.fix_available ignore_missing: true - convert: field: json.inspectorScore + tag: convert_inspectorScore_to_double type: double target_field: aws.inspector.inspector_score ignore_missing: true on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.inspectorScoreDetails.adjustedCvss.adjustments + tag: rename_inspectorScoreDetails_adjustedCvss_adjustments target_field: aws.inspector.inspector_score_details.adjusted_cvss.adjustments ignore_missing: true - rename: field: json.inspectorScoreDetails.adjustedCvss.cvssSource + tag: rename_inspectorScoreDetails_adjustedCvss_cvssSource target_field: aws.inspector.inspector_score_details.adjusted_cvss.cvss_source ignore_missing: true - convert: field: json.inspectorScoreDetails.adjustedCvss.score + tag: convert_inspectorScoreDetails_adjustedCvss_score_to_double type: double target_field: aws.inspector.inspector_score_details.adjusted_cvss.score.value ignore_missing: true on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.score.base + tag: set_vulnerability_score_base + copy_from: aws.inspector.inspector_score_details.adjusted_cvss.score.value + ignore_empty_value: true + - set: + field: vulnerability.classification + tag: set_vulnerability_classification + value: CVSS + if: ctx.aws?.inspector?.type == 'PACKAGE_VULNERABILITY' && ctx.aws.inspector.inspector_score_details?.adjusted_cvss?.score?.value != null - rename: field: json.inspectorScoreDetails.adjustedCvss.scoreSource + tag: rename_inspectorScoreDetails_adjustedCvss_scoreSource target_field: aws.inspector.inspector_score_details.adjusted_cvss.score.source ignore_missing: true - rename: field: json.inspectorScoreDetails.adjustedCvss.scoringVector + tag: rename_inspectorScoreDetails_adjustedCvss_scoringVector target_field: aws.inspector.inspector_score_details.adjusted_cvss.scoring_vector ignore_missing: true - rename: field: json.inspectorScoreDetails.adjustedCvss.version + tag: rename_inspectorScoreDetails_adjustedCvss_version target_field: aws.inspector.inspector_score_details.adjusted_cvss.version ignore_missing: true + - set: + field: vulnerability.score.version + tag: set_vulnerability_score_version + copy_from: aws.inspector.inspector_score_details.adjusted_cvss.version + ignore_empty_value: true - date: field: json.lastObservedAt + tag: date_lastObservedAt if: ctx.json?.lastObservedAt != null && ctx.json.lastObservedAt != '' target_field: aws.inspector.last_observed_at formats: @@ -161,54 +379,66 @@ processors: on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.networkReachabilityDetails.networkPath.steps if: ctx.json?.networkReachabilityDetails?.networkPath?.steps instanceof List - ignore_failure: true processor: rename: field: _ingest._value.componentId + tag: rename_networkReachabilityDetails_networkPath_steps_componentId target_field: _ingest._value.component.id ignore_missing: true - foreach: field: json.networkReachabilityDetails.networkPath.steps if: ctx.json?.networkReachabilityDetails?.networkPath?.steps instanceof List - ignore_failure: true processor: rename: field: _ingest._value.componentType + tag: rename_networkReachabilityDetails_networkPath_steps_componentType target_field: _ingest._value.component.type ignore_missing: true + - foreach: + field: json.networkReachabilityDetails.networkPath.steps + if: ctx.json?.networkReachabilityDetails?.networkPath?.steps instanceof List + processor: + rename: + field: _ingest._value.componentArn + tag: rename_networkReachabilityDetails_networkPath_steps_componentArn + target_field: _ingest._value.component.arn + ignore_missing: true - rename: field: json.networkReachabilityDetails.networkPath.steps + tag: rename_networkReachabilityDetails_networkPath_steps target_field: aws.inspector.network_reachability_details.network_path.steps ignore_missing: true - convert: field: json.networkReachabilityDetails.openPortRange.begin + tag: convert_networkReachabilityDetails_openPortRange_begin_to_long type: long target_field: aws.inspector.network_reachability_details.open_port_range.begin ignore_missing: true on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.networkReachabilityDetails.openPortRange.end + tag: convert_networkReachabilityDetails_openPortRange_end_to_long type: long target_field: aws.inspector.network_reachability_details.open_port_range.end ignore_missing: true on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.packageVulnerabilityDetails.cvss if: ctx.json?.packageVulnerabilityDetails?.cvss instanceof List - ignore_failure: true processor: convert: field: _ingest._value.baseScore + tag: convert_packageVulnerabilityDetails_cvss_baseScore_to_double type: double target_field: _ingest._value.base_score ignore_missing: true @@ -218,70 +448,47 @@ processors: ignore_missing: true - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.packageVulnerabilityDetails.cvss if: ctx.json?.packageVulnerabilityDetails?.cvss instanceof List - ignore_failure: true processor: remove: field: _ingest._value.baseScore + tag: remove_packageVulnerabilityDetails_cvss_baseScore ignore_missing: true - foreach: field: json.packageVulnerabilityDetails.cvss if: ctx.json?.packageVulnerabilityDetails?.cvss instanceof List - ignore_failure: true - processor: - append: - field: vulnerability.score.base - value: '{{{_ingest._value.base_score}}}' - allow_duplicates: true - ignore_failure: true - - convert: - field: vulnerability.score.base - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.packageVulnerabilityDetails.cvss - if: ctx.json?.packageVulnerabilityDetails?.cvss instanceof List - ignore_failure: true - processor: - append: - field: vulnerability.score.version - value: '{{{_ingest._value.version}}}' - allow_duplicates: true - ignore_failure: true - - foreach: - field: json.packageVulnerabilityDetails.cvss - if: ctx.json?.packageVulnerabilityDetails?.cvss instanceof List - ignore_failure: true processor: rename: field: _ingest._value.scoringVector + tag: rename_packageVulnerabilityDetails_cvss_scoringVector target_field: _ingest._value.scoring_vector ignore_missing: true - rename: field: json.packageVulnerabilityDetails.cvss + tag: rename_packageVulnerabilityDetails_cvss target_field: aws.inspector.package_vulnerability_details.cvss ignore_missing: true - rename: field: json.networkReachabilityDetails.networkPath.steps + tag: rename_networkReachabilityDetails_networkPath_steps target_field: aws.inspector.network_reachability_details.network_path.steps ignore_missing: true - rename: field: json.packageVulnerabilityDetails.relatedVulnerabilities + tag: rename_packageVulnerabilityDetails_relatedVulnerabilities target_field: aws.inspector.package_vulnerability_details.related_vulnerabilities ignore_missing: true - rename: field: json.packageVulnerabilityDetails.source + tag: rename_packageVulnerabilityDetails_source target_field: aws.inspector.package_vulnerability_details.source.value ignore_missing: true - uri_parts: field: json.packageVulnerabilityDetails.sourceUrl + tag: uri_parts_packageVulnerabilityDetails_sourceUrl target_field: aws.inspector.package_vulnerability_details.source.url if: ctx.json?.packageVulnerabilityDetails?.sourceUrl != null keep_original: true @@ -291,9 +498,10 @@ processors: ignore_missing: true - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: field: json.packageVulnerabilityDetails.vendorCreatedAt + tag: date_packageVulnerabilityDetails_vendorCreatedAt if: ctx.json?.packageVulnerabilityDetails?.vendorCreatedAt != null && ctx.json.packageVulnerabilityDetails.vendorCreatedAt != '' target_field: aws.inspector.package_vulnerability_details.vendor.created_at formats: @@ -303,17 +511,20 @@ processors: on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.published_date + tag: set_vulnerability_published_date + copy_from: aws.inspector.package_vulnerability_details.vendor.created_at + ignore_empty_value: true - rename: field: json.packageVulnerabilityDetails.vendorSeverity + tag: rename_packageVulnerabilityDetails_vendorSeverity target_field: aws.inspector.package_vulnerability_details.vendor.severity ignore_missing: true - - set: - field: vulnerability.severity - copy_from: aws.inspector.package_vulnerability_details.vendor.severity - ignore_failure: true - date: field: json.packageVulnerabilityDetails.vendorUpdatedAt + tag: date_packageVulnerabilityDetails_vendorUpdatedAt if: ctx.json?.packageVulnerabilityDetails?.vendorUpdatedAt!= null && ctx.json.packageVulnerabilityDetails.vendorUpdatedAt != '' target_field: aws.inspector.package_vulnerability_details.vendor.updated_at formats: @@ -323,63 +534,125 @@ processors: on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.packageVulnerabilityDetails.vulnerablePackages if: ctx.json?.packageVulnerabilityDetails?.vulnerablePackages instanceof List - ignore_failure: true processor: rename: field: _ingest._value.filePath + tag: rename_packageVulnerabilityDetails_vulnerablePackages_filePath target_field: _ingest._value.file_path ignore_missing: true - foreach: field: json.packageVulnerabilityDetails.vulnerablePackages if: ctx.json?.packageVulnerabilityDetails?.vulnerablePackages instanceof List - ignore_failure: true processor: rename: field: _ingest._value.fixedInVersion - target_field: _ingest._value.fixed_inversion + tag: rename_packageVulnerabilityDetails_vulnerablePackages_fixedInVersion + target_field: _ingest._value.fixed_in_version ignore_missing: true - foreach: field: json.packageVulnerabilityDetails.vulnerablePackages if: ctx.json?.packageVulnerabilityDetails?.vulnerablePackages instanceof List - ignore_failure: true processor: rename: field: _ingest._value.packageManager + tag: rename_packageVulnerabilityDetails_vulnerablePackages_packageManager target_field: _ingest._value.package_manager ignore_missing: true - foreach: field: json.packageVulnerabilityDetails.vulnerablePackages if: ctx.json?.packageVulnerabilityDetails?.vulnerablePackages instanceof List - ignore_failure: true + processor: + rename: + field: _ingest._value.sourceLambdaLayerArn + tag: rename_packageVulnerabilityDetails_vulnerablePackages_sourceLambdaLayerArn + target_field: _ingest._value.source_lambda_layer_arn + ignore_missing: true + - foreach: + field: json.packageVulnerabilityDetails.vulnerablePackages + if: ctx.json?.packageVulnerabilityDetails?.vulnerablePackages instanceof List processor: rename: field: _ingest._value.sourceLayerHash + tag: rename_packageVulnerabilityDetails_vulnerablePackages_sourceLayerHash target_field: _ingest._value.source_layer_hash ignore_missing: true - foreach: field: json.packageVulnerabilityDetails.vulnerablePackages if: ctx.json?.packageVulnerabilityDetails?.vulnerablePackages instanceof List - ignore_failure: true processor: append: field: related.hash + tag: append_packageVulnerabilityDetails_vulnerablePackages_source_layer_hash_into_related_hash value: '{{{_ingest._value.source_layer_hash}}}' allow_duplicates: false - ignore_failure: true - rename: field: json.packageVulnerabilityDetails.vulnerablePackages + tag: rename_packageVulnerabilityDetails_vulnerablePackages target_field: aws.inspector.package_vulnerability_details.vulnerable_packages ignore_missing: true + # Introduce aws.inspector.package_nested field with nested type to associate relationship between version, name, fixed_version, path, etc. + - set: + field: aws.inspector.package_nested + tag: set_package_nested_from_package_vulnerability_details_vulnerable_packages + copy_from: aws.inspector.package_vulnerability_details.vulnerable_packages + ignore_empty_value: true + - foreach: + field: aws.inspector.package_vulnerability_details.vulnerable_packages + if: ctx.aws?.inspector?.package_vulnerability_details?.vulnerable_packages instanceof List + processor: + append: + field: package.architecture + tag: append_package_vulnerability_details_vulnerable_packages_arch_into_package_architecture + value: '{{{_ingest._value.arch}}}' + allow_duplicates: false + - foreach: + field: aws.inspector.package_vulnerability_details.vulnerable_packages + if: ctx.aws?.inspector?.package_vulnerability_details?.vulnerable_packages instanceof List + processor: + append: + field: package.name + tag: append_package_vulnerability_details_vulnerable_packages_name_into_package_name + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + - foreach: + field: aws.inspector.package_vulnerability_details.vulnerable_packages + if: ctx.aws?.inspector?.package_vulnerability_details?.vulnerable_packages instanceof List + processor: + append: + field: package.version + tag: append_package_vulnerability_details_vulnerable_packages_version_into_package_version + value: '{{{_ingest._value.version}}}' + allow_duplicates: false + - foreach: + field: aws.inspector.package_vulnerability_details.vulnerable_packages + if: ctx.aws?.inspector?.package_vulnerability_details?.vulnerable_packages instanceof List + processor: + append: + field: package.path + tag: append_package_vulnerability_details_vulnerable_packages_file_path_into_package_path + value: '{{{_ingest._value.file_path}}}' + allow_duplicates: false + - foreach: + field: aws.inspector.package_vulnerability_details.vulnerable_packages + if: ctx.aws?.inspector?.package_vulnerability_details?.vulnerable_packages instanceof List + processor: + append: + field: package.fixed_version + tag: append_package_vulnerability_details_vulnerable_packages_fixed_in_version_into_package_fixed_version + value: '{{{_ingest._value.fixed_in_version}}}' + allow_duplicates: false - rename: field: json.remediation.recommendation.text + tag: rename_remediation_recommendation_text target_field: aws.inspector.remediation.recommendation.text ignore_missing: true - uri_parts: field: json.remediation.recommendation.Url + tag: uri_parts_remediation_recommendation_Url target_field: aws.inspector.remediation.recommendation.url if: ctx.json?.remediation?.recommendation?.Url != null keep_original: true @@ -389,290 +662,591 @@ processors: ignore_missing: true - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEc2Instance.iamInstanceProfileArn + tag: rename_resources_details_awsEc2Instance_iamInstanceProfileArn target_field: _ingest._value.details.aws.ec2_instance.iam_instance_profile_arn ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEc2Instance.imageId + tag: rename_resources_details_awsEc2Instance_imageId target_field: _ingest._value.details.aws.ec2_instance.image_id ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEc2Instance.ipV4Addresses + tag: rename_resources_details_awsEc2Instance_ipV4Addresses target_field: _ingest._value.details.aws.ec2_instance.ipv4_addresses ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: foreach: field: _ingest._value.details.aws.ec2_instance.ipv4_addresses - ignore_failure: true + ignore_missing: true processor: convert: field: _ingest._value - target_field: _ingest._value + tag: convert_details_aws_ec2_instance_ipv4_addresses_to_ip type: ip - ignore_failure: true + on_failure: + - remove: + field: _ingest._value + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: foreach: field: _ingest._value.details.aws.ec2_instance.ipv4_addresses - ignore_failure: true + ignore_missing: true processor: append: field: related.ip + tag: append_resources_details_aws_ec2_instance_ipv4_addresses_into_related_ip value: '{{{_ingest._value}}}' allow_duplicates: false - ignore_failure: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEc2Instance.ipV6Addresses + tag: rename_resources_details_awsEc2Instance_ipV6Addresses target_field: _ingest._value.details.aws.ec2_instance.ipv6_addresses ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: foreach: field: _ingest._value.details.aws.ec2_instance.ipv6_addresses - ignore_failure: true + ignore_missing: true processor: convert: field: _ingest._value - target_field: _ingest._value + tag: convert_details_aws_ec2_instance_ipv6_addresses_to_ip type: ip - ignore_failure: true + on_failure: + - remove: + field: _ingest._value + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: foreach: field: _ingest._value.details.aws.ec2_instance.ipv6_addresses - ignore_failure: true + ignore_missing: true processor: append: field: related.ip + tag: append_resources_details_aws_ec2_instance_ipv6_addresses_into_related_ip value: '{{{_ingest._value}}}' allow_duplicates: false - ignore_failure: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEc2Instance.keyName + tag: rename_resources_details_awsEc2Instance_keyName target_field: _ingest._value.details.aws.ec2_instance.key_name ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: date: field: _ingest._value.details.awsEc2Instance.launchedAt + tag: date_resources_details_awsEc2Instance_launchedAt target_field: _ingest._value.details.aws.ec2_instance.launched_at formats: - ISO8601 - UNIX - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' - ignore_failure: true - - foreach: - field: json.resources - if: ctx.json?.resources instanceof List - ignore_failure: true - processor: - remove: - field: - - _ingest._value.details.awsEc2Instance.launchedAt - ignore_missing: true + on_failure: + - remove: + field: _ingest._value.details.awsEc2Instance.launchedAt + ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEc2Instance.platform + tag: rename_resources_details_awsEc2Instance_platform target_field: _ingest._value.details.aws.ec2_instance.platform ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEc2Instance.subnetId + tag: rename_resources_details_awsEc2Instance_subnetId target_field: _ingest._value.details.aws.ec2_instance.subnet_id ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEc2Instance.type + tag: rename_resources_details_awsEc2Instance_type target_field: _ingest._value.details.aws.ec2_instance.type ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEc2Instance.vpcId + tag: rename_resources_details_awsEc2Instance_vpcId target_field: _ingest._value.details.aws.ec2_instance.vpc_id ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEcrContainerImage.architecture + tag: rename_resources_details_awsEcrContainerImage_architecture target_field: _ingest._value.details.aws.ecr_container_image.architecture ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEcrContainerImage.author + tag: rename_resources_details_awsEcrContainerImage_author target_field: _ingest._value.details.aws.ecr_container_image.author ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEcrContainerImage.imageHash + tag: rename_resources_details_awsEcrContainerImage_imageHash target_field: _ingest._value.details.aws.ecr_container_image.image.hash ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: append: field: related.hash + tag: append_resources_details_awsEcrContainerImage_imageHash_into_related_hash value: '{{{_ingest._value.details.aws.ecr_container_image.image.hash}}}' allow_duplicates: false - ignore_failure: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: field: _ingest._value.details.awsEcrContainerImage.imageTags + tag: rename_resources_details_awsEcrContainerImage_imageTags target_field: _ingest._value.details.aws.ecr_container_image.image.tags ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true + processor: + convert: + field: _ingest._value.details.awsEcrContainerImage.inUseCount + tag: convert_resources_details_awsEcrContainerImage_inUseCount_to_long + type: long + target_field: _ingest._value.details.aws.ecr_container_image.in_use_count + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.details.awsEcrContainerImage.inUseCount + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + date: + field: _ingest._value.details.awsEcrContainerImage.lastInUseAt + tag: date_resources_details_awsEcrContainerImage_lastInUseAt + target_field: _ingest._value.details.aws.ecr_container_image.last_in_use_at + formats: + - ISO8601 + - UNIX + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - remove: + field: _ingest._value.details.awsEcrContainerImage.lastInUseAt + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List processor: rename: field: _ingest._value.details.awsEcrContainerImage.platform + tag: rename_resources_details_awsEcrContainerImage_platform target_field: _ingest._value.details.aws.ecr_container_image.platform ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: date: field: _ingest._value.details.awsEcrContainerImage.pushedAt + tag: date_resources_details_awsEcrContainerImage_pushedAt target_field: _ingest._value.details.aws.ecr_container_image.pushed_at formats: - ISO8601 - UNIX - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' - ignore_failure: true + on_failure: + - remove: + field: _ingest._value.details.awsEcrContainerImage.pushedAt + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + rename: + field: _ingest._value.details.awsEcrContainerImage.registry + tag: rename_resources_details_awsEcrContainerImage_registry + target_field: _ingest._value.details.aws.ecr_container_image.registry + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + rename: + field: _ingest._value.details.awsEcrContainerImage.repositoryName + tag: rename_resources_details_awsEcrContainerImage_repositoryName + target_field: _ingest._value.details.aws.ecr_container_image.repository_name + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + rename: + field: _ingest._value.details.awsLambdaFunction.codeSha256 + tag: rename_resources_details_awsLambdaFunction_codeSha256 + target_field: _ingest._value.details.awsLambdaFunction.code_sha256 + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + append: + field: related.hash + tag: append_resource_details_awsLambdaFunction_code_sha256_into_related_hash + value: '{{{_ingest._value.details.awsLambdaFunction.code_sha256}}}' + allow_duplicates: false + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + rename: + field: _ingest._value.details.awsLambdaFunction.executionRoleArn + tag: rename_resources_details_awsLambdaFunction_executionRoleArn + target_field: _ingest._value.details.awsLambdaFunction.execution_role_arn + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + rename: + field: _ingest._value.details.awsLambdaFunction.functionName + tag: rename_resources_details_awsLambdaFunction_functionName + target_field: _ingest._value.details.awsLambdaFunction.function_name + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + date: + field: _ingest._value.details.awsLambdaFunction.lastModifiedAt + tag: date_resources_details_awsLambdaFunction_lastModifiedAt + target_field: _ingest._value.details.awsLambdaFunction.last_modified_at + formats: + - ISO8601 + - UNIX + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - remove: + field: _ingest._value.details.awsLambdaFunction.lastModifiedAt + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + rename: + field: _ingest._value.details.awsLambdaFunction.packageType + tag: rename_resources_details_awsLambdaFunction_packageType + target_field: _ingest._value.details.awsLambdaFunction.package_type + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + rename: + field: _ingest._value.details.awsLambdaFunction.vpcConfig.securityGroupIds + tag: rename_resources_details_awsLambdaFunction_vpcConfig_securityGroupIds + target_field: _ingest._value.details.awsLambdaFunction.vpc_config.security_group_ids + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + rename: + field: _ingest._value.details.awsLambdaFunction.vpcConfig.subnetIds + tag: rename_resources_details_awsLambdaFunction_vpcConfig_subnetIds + target_field: _ingest._value.details.awsLambdaFunction.vpc_config.subnet_ids + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + rename: + field: _ingest._value.details.awsLambdaFunction.vpcConfig.vpcId + tag: rename_resources_details_awsLambdaFunction_vpcConfig_vpcId + target_field: _ingest._value.details.awsLambdaFunction.vpc_config.vpc_id + ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: remove: field: + - _ingest._value.details.awsEc2Instance.launchedAt + - _ingest._value.details.awsEcrContainerImage.inUseCount + - _ingest._value.details.awsEcrContainerImage.lastInUseAt - _ingest._value.details.awsEcrContainerImage.pushedAt + - _ingest._value.details.awsLambdaFunction.lastModifiedAt + tag: remove_resources_fields ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: - field: _ingest._value.details.awsEcrContainerImage.registry - target_field: _ingest._value.details.aws.ecr_container_image.registry + field: _ingest._value.details.awsLambdaFunction + tag: rename_resources_details_awsLambdaFunction + target_field: _ingest._value.details.aws.lambda_function ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: rename: - field: _ingest._value.details.awsEcrContainerImage.repositoryName - target_field: _ingest._value.details.aws.ecr_container_image.repository_name + field: _ingest._value.details.codeRepository.integrationArn + tag: rename_resources_details_codeRepository_integrationArn + target_field: _ingest._value.details.code_repository.integration_arn ignore_missing: true - foreach: field: json.resources if: ctx.json?.resources instanceof List - ignore_failure: true processor: - append: - field: cloud.region - value: '{{{_ingest._value.region}}}' - allow_duplicates: false - ignore_failure: true + rename: + field: _ingest._value.details.codeRepository.projectName + tag: rename_resources_details_codeRepository_projectName + target_field: _ingest._value.details.code_repository.project_name + ignore_missing: true + - foreach: + field: json.resources + if: ctx.json?.resources instanceof List + processor: + rename: + field: _ingest._value.details.codeRepository.providerType + tag: rename_resources_details_codeRepository_providerType + target_field: _ingest._value.details.code_repository.provider_type + ignore_missing: true - rename: field: json.resources + tag: rename_resources target_field: aws.inspector.resources ignore_missing: true + - script: + description: Extract fields from aws.inspector.resources with single resource. + tag: script_extract_fields_from_single_resource + lang: painless + if: ctx.aws?.inspector?.resources instanceof List && ctx.aws.inspector.resources.size() == 1 + source: |- + // Arrays won't work in general in current UI of Cloud Security Posture workflow. In Amazon Inspector, a finding may contain multiple resources, but rarely. + // When a finding has single-resource, we extract fields as single-value so that the Vulnerability Findings UI behaves as expected for almost all cases. + // But in the rare multi-resource case, we extract fields into an array to not miss any affected resources for a finding. + // This trade-off is okay as not many findings will be affected. When our UI natively supports multi-resources, the single-value resource extraction must be removed. + + def resources = ctx.aws.inspector.resources; + + // Define fields to be extracted. + ctx.resource = ctx.resource ?: [:]; + ctx.host = ctx.host ?: [:]; + ctx.host.os = ctx.host.os ?: [:]; + ctx.host.ip = ctx.host.ip ?: []; + ctx.cloud = ctx.cloud ?: [:]; + ctx.cloud.instance = ctx.cloud.instance ?: [:]; + ctx.cloud.machine = ctx.cloud.machine ?: [:]; + + // This extraction logic is only for single resource case. Multiple resources are extracted inside script - script_extract_fields_from_multiple_resources. + if (resources.size() == 1){ + def res = resources[0]; + + ctx.resource.id = res.id; + ctx.resource.name = res.tags?.Name; + ctx.resource.type = res.type; + ctx.cloud.region = res.region; + + if (res.type == 'AWS_EC2_INSTANCE') { + ctx.cloud.instance.id = res.id; + ctx.cloud.machine.type = res.details?.aws?.ec2_instance?.type; + ctx.host.id = res.id; + ctx.host.name = res.tags?.Name; + ctx.host.type = res.details?.aws?.ec2_instance?.type; + ctx.host.os.platform = res.details?.aws?.ec2_instance?.platform; + if (res.details?.aws?.ec2_instance?.ipv4_addresses instanceof List) { + for (ipv4 in res.details?.aws?.ec2_instance?.ipv4_addresses) { + ctx.host.ip.add(ipv4); + } + } + if (res.details?.aws?.ec2_instance?.ipv6_addresses instanceof List) { + for (ipv6 in res.details?.aws?.ec2_instance?.ipv6_addresses) { + ctx.host.ip.add(ipv6); + } + } + def platform = res.details?.aws?.ec2_instance?.platform?.toLowerCase(); + if (platform?.contains('windows') == true) { + ctx.host.os.type = 'windows'; + } else if (platform?.contains('linux') == true) { + ctx.host.os.type = 'linux'; + } else if (platform?.contains('macos') == true) { + ctx.host.os.type = 'macos'; + } + } + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Extract fields from aws.inspector.resources with multiple resources. + tag: script_extract_fields_from_multiple_resources + lang: painless + if: ctx.aws?.inspector?.resources instanceof List && ctx.aws.inspector.resources.size() > 1 + source: |- + def resources = ctx.aws.inspector.resources; + + // Define fields to be extracted. + ctx.resource = ctx.resource ?: [:]; + ctx.resource.id = ctx.resource.id ?: []; + ctx.resource.name = ctx.resource.name ?: []; + + ctx.host = ctx.host ?: [:]; + ctx.host.id = ctx.host.id ?: []; + ctx.host.name = ctx.host.name ?: []; + ctx.host.ip = ctx.host.ip ?: []; + ctx.host.type = ctx.host.type ?: []; + ctx.host.os = ctx.host.os ?: [:]; + ctx.host.os.platform = ctx.host.os.platform ?: []; + ctx.host.os.type = ctx.host.os.type ?: []; + + ctx.cloud = ctx.cloud ?: [:]; + ctx.cloud.instance = ctx.cloud.instance ?: [:]; + ctx.cloud.instance.id = ctx.cloud.instance.id ?: []; + ctx.cloud.machine = ctx.cloud.machine ?: [:]; + ctx.cloud.machine.type = ctx.cloud.machine.type ?: []; + ctx.cloud.region = ctx.cloud.region ?: []; + + for (res in resources) { + ctx.resource.id.add(res.id); + ctx.resource.name.add(res.tags?.Name); + ctx.resource.type.add(res.type); + ctx.cloud.region.add(res.region); + + if (res.type == 'AWS_EC2_INSTANCE') { + ctx.cloud.instance.id.add(res.id); + ctx.cloud.machine.type.add(res.details?.aws?.ec2_instance?.type); + ctx.host.id.add(res.id); + ctx.host.name.add(res.tags?.Name); + ctx.host.type.add(res.details?.aws?.ec2_instance?.type); + ctx.host.os.platform.add(res.details?.aws?.ec2_instance?.platform); + if (res.details?.aws?.ec2_instance?.ipv4_addresses instanceof List) { + for (ipv4 in res.details?.aws?.ec2_instance?.ipv4_addresses) { + ctx.host.ip.add(ipv4); + } + } + if (res.details?.aws?.ec2_instance?.ipv6_addresses instanceof List) { + for (ipv6 in res.details?.aws?.ec2_instance?.ipv6_addresses) { + ctx.host.ip.add(ipv6); + } + } + def platform = res.details?.aws?.ec2_instance?.platform?.toLowerCase(); + if (platform?.contains('windows') == true) { + ctx.host.os.type = 'windows'; + } else if (platform?.contains('linux') == true) { + ctx.host.os.type = 'linux'; + } else if (platform?.contains('macos') == true) { + ctx.host.os.type = 'macos'; + } + } + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.status + tag: rename_status target_field: aws.inspector.status ignore_missing: true - rename: field: json.title + tag: rename_title target_field: aws.inspector.title ignore_missing: true + - set: + field: vulnerability.title + tag: set_vulnerability_title + copy_from: aws.inspector.title + ignore_empty_value: true - rename: field: json.type + tag: rename_type target_field: aws.inspector.type ignore_missing: true + - set: + field: event.id + tag: set_event_id + value: '{{vulnerability.id}}|{{resource.id}}|{{package.name}}|{{package.version}}|{{@timestamp}}' + if: ctx.aws?.inspector?.type == 'PACKAGE_VULNERABILITY' + - set: + field: aws.inspector.transform_unique_id + tag: set_transform_unique_id + value: '{{vulnerability.id}}|{{resource.id}}|{{package.name}}|{{package.version}}' + if: ctx.aws?.inspector?.type == 'PACKAGE_VULNERABILITY' - remove: field: - json + tag: remove_json ignore_missing: true - remove: if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) @@ -683,47 +1257,60 @@ processors: - aws.inspector.network_reachability_details.protocol - aws.inspector.package_vulnerability_details.reference_urls - aws.inspector.package_vulnerability_details.vulnerability_id - - aws.inspector.package_vulnerability_details.vendor.severity + - aws.inspector.package_vulnerability_details.vendor.created_at + - aws.inspector.inspector_score_details.adjusted_cvss.score.value + - aws.inspector.inspector_score_details.adjusted_cvss.version + - aws.inspector.title + tag: remove_preserve_duplicate_custom_fields ignore_missing: true - - foreach: - field: aws.inspector.resources - if: ctx.aws?.inspector?.resources instanceof List - ignore_failure: true - processor: - remove: - field: - - _ingest._value.region - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_missing: true - - foreach: - field: aws.inspector.package_vulnerability_details.cvss - if: ctx.aws?.inspector?.package_vulnerability_details?.cvss instanceof List - ignore_failure: true - processor: - remove: - field: - - _ingest._value.base_score - - _ingest._value.version - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_missing: true - script: - description: Drops null/empty values recursively. + tag: script_to_drop_null_values lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); } - dropEmptyFields(ctx); + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws/data_stream/inspector/fields/agent.yml b/packages/aws/data_stream/inspector/fields/agent.yml index 7573d81577c..cee3c7a2d0e 100644 --- a/packages/aws/data_stream/inspector/fields/agent.yml +++ b/packages/aws/data_stream/inspector/fields/agent.yml @@ -39,3 +39,12 @@ - name: log.offset type: long description: Log offset +- name: log.file.device_id + type: keyword + description: Device Id of the log file this event came from. +- name: log.file.inode + type: keyword + description: Inode number of the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/aws/data_stream/inspector/fields/base-fields.yml b/packages/aws/data_stream/inspector/fields/base-fields.yml index 163750d7fe0..7101d492e4b 100644 --- a/packages/aws/data_stream/inspector/fields/base-fields.yml +++ b/packages/aws/data_stream/inspector/fields/base-fields.yml @@ -1,16 +1,16 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.module + external: ecs type: constant_keyword - description: Event module. value: aws +- name: event.dataset + external: ecs + type: constant_keyword + value: aws.inspector - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/aws/data_stream/inspector/fields/ecs.yml b/packages/aws/data_stream/inspector/fields/ecs.yml new file mode 100644 index 00000000000..cc61312ef72 --- /dev/null +++ b/packages/aws/data_stream/inspector/fields/ecs.yml @@ -0,0 +1,7 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + external: ecs +- name: vulnerability.scanner.vendor + type: constant_keyword + external: ecs diff --git a/packages/aws/data_stream/inspector/fields/fields.yml b/packages/aws/data_stream/inspector/fields/fields.yml index bc14c90da16..12803b8273f 100644 --- a/packages/aws/data_stream/inspector/fields/fields.yml +++ b/packages/aws/data_stream/inspector/fields/fields.yml @@ -4,9 +4,63 @@ - name: aws_account_id type: keyword description: The AWS account ID associated with the finding. + - name: code_vulnerability_details + type: group + fields: + - name: cwes + type: keyword + description: The Common Weakness Enumeration (CWE) item associated with the detected vulnerability. + - name: detector_id + type: keyword + description: The ID for the Amazon CodeGuru detector associated with the finding. For more information on detectors see Amazon CodeGuru Detector Library. + - name: detector_name + type: keyword + description: The name of the detector used to identify the code vulnerability. For more information on detectors see CodeGuru Detector Library. + - name: detector_tags + type: keyword + description: The detector tag associated with the vulnerability. Detector tags group related vulnerabilities by common themes or tactics. For a list of available tags by programming language, see Java tags, or Python tags. + - name: file_path + type: group + fields: + - name: end_line + type: long + description: The line number of the last line of code that a vulnerability was found in. + - name: name + type: keyword + description: The name of the file the code vulnerability was found in. + - name: path + type: keyword + description: The file path to the code that a vulnerability was found in. + - name: start_line + type: long + description: The line number of the first line of code that a vulnerability was found in. + - name: reference_urls + type: keyword + description: A URL containing supporting documentation about the code vulnerability detected. + - name: rule_id + type: keyword + description: The identifier for a rule that was used to detect the code vulnerability. + - name: source_lambda_layer_arn + type: keyword + description: The Amazon Resource Name (ARN) of the Lambda layer that the code vulnerability was detected in. - name: description type: text description: The description of the finding. + - name: epss + type: group + fields: + - name: score + type: double + description: The EPSS score. + - name: exploitability_details + type: group + fields: + - name: last_known_exploit_at + type: date + description: The date and time of the last exploit associated with a finding discovered in your environment. + - name: exploit_available + type: keyword + description: If a finding discovered in your environment has an exploit available. - name: finding_arn type: keyword description: The Amazon Resource Number (ARN) of the finding. @@ -67,6 +121,9 @@ - name: component type: group fields: + - name: arn + type: keyword + description: The component ARN. The ARN can be null and is not displayed in the AWS console. - name: id type: keyword description: The component ID. @@ -85,6 +142,42 @@ - name: protocol type: keyword description: The protocol associated with a finding. + - name: package_nested + type: nested + fields: + - name: arch + type: keyword + description: The architecture of the vulnerable package. + - name: epoch + type: long + description: The epoch of the vulnerable package. + - name: file_path + type: keyword + description: The file path of the vulnerable package. + - name: fixed_in_version + type: keyword + description: The version of the package that contains the vulnerability fix. + - name: name + type: keyword + description: The name of the vulnerable package. + - name: package_manager + type: keyword + description: The package manager of the vulnerable package. + - name: release + type: keyword + description: The release of the vulnerable package. + - name: remediation + type: keyword + description: The code to run in your environment to update packages with a fix available. + - name: source_lambda_layer_arn + type: keyword + description: The Amazon Resource Number (ARN) of the AWS Lambda function affected by a finding. + - name: source_layer_hash + type: keyword + description: The source layer hash of the vulnerable package. + - name: version + type: keyword + description: The version of the vulnerable package. - name: package_vulnerability_details type: group fields: @@ -163,7 +256,7 @@ - name: file_path type: keyword description: The file path of the vulnerable package. - - name: fixed_inversion + - name: fixed_in_version type: keyword description: The version of the package that contains the vulnerability fix. - name: name @@ -175,6 +268,12 @@ - name: release type: keyword description: The release of the vulnerable package. + - name: remediation + type: keyword + description: The code to run in your environment to update packages with a fix available. + - name: source_lambda_layer_arn + type: keyword + description: The Amazon Resource Number (ARN) of the AWS Lambda function affected by a finding. - name: source_layer_hash type: keyword description: The source layer hash of the vulnerable package. @@ -271,6 +370,12 @@ - name: tags type: keyword description: The image tags attached to the Amazon ECR container image. + - name: in_use_count + type: long + description: The number of Amazon ECS tasks or Amazon EKS pods where the Amazon ECR container image is in use. + - name: last_in_use_at + type: date + description: The last time an Amazon ECR image was used in an Amazon ECS task or Amazon EKS pod. - name: platform type: keyword description: The platform of the Amazon ECR container image. @@ -283,6 +388,60 @@ - name: repository_name type: keyword description: The name of the repository the Amazon ECR container image resides in. + - name: lambda_function + type: group + fields: + - name: architectures + type: keyword + description: The instruction set architecture that the AWS Lambda function supports. Architecture is a string array with one of the valid values. The default architecture value is x86_64. + - name: code_sha256 + type: keyword + description: The SHA256 hash of the AWS Lambda function's deployment package. + - name: execution_role_arn + type: keyword + description: The AWS Lambda function's execution role. + - name: function_name + type: keyword + description: The name of the AWS Lambda function. + - name: last_modified_at + type: date + description: The date and time that a user last updated the configuration, in ISO 8601 format. + - name: layers + type: keyword + description: The AWS Lambda function's layers. A Lambda function can have up to five layers. + - name: package_type + type: keyword + description: The type of deployment package. Set to Image for container image and set Zip for .zip file archive. + - name: runtime + type: keyword + description: The runtime environment for the AWS Lambda function. + - name: version + type: keyword + description: The version of the AWS Lambda function. + - name: vpc_config + type: group + fields: + - name: security_group_ids + type: keyword + description: The VPC security groups and subnets that are attached to an AWS Lambda function. For more information, see VPC Settings. + - name: subnet_ids + type: keyword + description: A list of VPC subnet IDs. + - name: vpc_id + type: keyword + description: The ID of the VPC. + - name: code_repository + type: group + fields: + - name: integration_arn + type: keyword + description: The Amazon Resource Name (ARN) of the code security integration associated with the repository. + - name: project_name + type: keyword + description: The name of the project in the code repository. + - name: provider_type + type: keyword + description: The type of repository provider (such as GitHub, GitLab, etc.). - name: id type: keyword description: The ID of the resource. @@ -307,6 +466,8 @@ - name: title type: keyword description: The title of the finding. + - name: transform_unique_id + type: keyword - name: type type: keyword description: The type of the finding. diff --git a/packages/aws/data_stream/inspector/fields/package.yml b/packages/aws/data_stream/inspector/fields/package.yml new file mode 100644 index 00000000000..592d9cde4a0 --- /dev/null +++ b/packages/aws/data_stream/inspector/fields/package.yml @@ -0,0 +1,6 @@ +- name: package + type: group + fields: + - name: fixed_version + type: keyword + description: In which version of the package the vulnerability was fixed. diff --git a/packages/aws/data_stream/inspector/fields/resource.yml b/packages/aws/data_stream/inspector/fields/resource.yml new file mode 100644 index 00000000000..d070ae78d30 --- /dev/null +++ b/packages/aws/data_stream/inspector/fields/resource.yml @@ -0,0 +1,12 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + description: The ID of the vulnerable resource. + - name: name + type: keyword + description: The name of the vulnerable resource. + - name: type + type: keyword + description: The type of the vulnerable resource. diff --git a/packages/aws/data_stream/inspector/fields/vulnerability.yml b/packages/aws/data_stream/inspector/fields/vulnerability.yml new file mode 100644 index 00000000000..8003fe22da6 --- /dev/null +++ b/packages/aws/data_stream/inspector/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: cve + type: keyword + description: The CVE id of the vulnerability. + - name: published_date + type: date + description: When the vulnerability was published. + - name: title + type: keyword + description: The human readeable title of the vulnerability. diff --git a/packages/aws/data_stream/inspector/manifest.yml b/packages/aws/data_stream/inspector/manifest.yml index 1f2457310a7..16ff1c44466 100644 --- a/packages/aws/data_stream/inspector/manifest.yml +++ b/packages/aws/data_stream/inspector/manifest.yml @@ -1,37 +1,43 @@ -title: Collect AWS Inspector logs from AWS +title: Collect Amazon Inspector logs from AWS type: logs streams: - input: httpjson - title: Collect AWS Inspector Findings from AWS - description: Collect AWS Inspector Findings from AWS. + title: Collect Amazon Inspector Findings from AWS + description: Collect Amazon Inspector Findings from AWS. template_path: httpjson.yml.hbs vars: - name: interval type: text title: Interval - description: 'Interval to fetch AWS Inspector Findings from AWS. NOTE: Supported units for this parameter are h/m/s.' + description: Interval to fetch Amazon Inspector Findings from AWS. Supported units for this parameter are h/m/s. required: true show_user: true - default: 1m + default: 24h - name: enable_request_tracer type: bool title: Enable request tracing + default: false multi: false required: false show_user: false - description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. + Enabling this request tracing compromises security and should only be used for debugging. Disabling the request + tracer will delete any stored traces. + See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) + for details. - name: initial_interval type: text title: Initial Interval - description: 'How far back to pull the AWS Inspector Findings from AWS. NOTE: Supported units for this parameter are h/m/s.' + description: How far back to pull the Amazon Inspector Findings from AWS. Supported units for this parameter are h/m/s. multi: false required: true show_user: true - default: 24h + default: 2160h - name: http_client_timeout type: text title: HTTP Client Timeout - description: 'Duration of the time limit on HTTP requests. Note: Valid time units are ns, us, ms, s, m, h.' + description: Duration of the time limit on HTTP requests. Valid time units are ns, us, ms, s, m, h. multi: false required: true show_user: true diff --git a/packages/aws/data_stream/inspector/sample_event.json b/packages/aws/data_stream/inspector/sample_event.json index 2116bc8251e..5c783c7fcee 100644 --- a/packages/aws/data_stream/inspector/sample_event.json +++ b/packages/aws/data_stream/inspector/sample_event.json @@ -1,101 +1,168 @@ { - "@timestamp": "2022-09-20T19:52:26.405Z", + "@timestamp": "2025-06-05T23:23:16.162Z", "agent": { - "ephemeral_id": "d1032859-fd44-410c-9960-dde7dcbc3a2e", - "id": "4a3373c9-b63f-4544-a929-761b42f50054", - "name": "docker-fleet-agent", + "ephemeral_id": "788993b6-dba1-4abf-a351-971772a30ab3", + "id": "f39725b1-2457-4583-bd15-dc0a928f195e", + "name": "elastic-agent-65036", "type": "filebeat", - "version": "8.4.0" + "version": "8.19.0" }, "aws": { "inspector": { - "finding_arn": "arn:aws:s3:::sample", - "first_observed_at": "2022-09-20T19:52:26.405Z", - "inspector_score": 1.2, + "epss": { + "score": 0.00024 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123456789012:finding/fb6294abcdef0123456789abcdef8123", + "first_observed_at": "2025-05-29T17:28:07.919Z", + "fix_available": "YES", + "inspector_score": 6.5, "inspector_score_details": { "adjusted_cvss": { - "adjustments": [ - { - "metric": "Base", - "reason": "use Base metric" - } - ], - "cvss_source": "scope1", + "cvss_source": "NVD", "score": { - "source": "scope2", - "value": 8.9 + "source": "NVD" }, - "scoring_vector": "Attack Vector", - "version": "v3.1" + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L" } }, - "last_observed_at": "2022-09-20T19:52:26.405Z", - "network_reachability_details": { - "network_path": { - "steps": [ - { - "component": { - "id": "02ce3860-3126-42af-8ac7-c2a661134129", - "type": "type" - } - } - ] + "last_observed_at": "2025-06-05T23:23:16.162Z", + "package_nested": [ + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/kubelet", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" }, - "open_port_range": { - "begin": 1234, - "end": 4567 + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.0.5-1.amzn2.0.1", + "name": "nerdctl", + "package_manager": "OS", + "release": "1.amzn2.0.1", + "remediation": "yum update nerdctl", + "version": "2.0.4" } - }, + ], "package_vulnerability_details": { "cvss": [ { - "scoring_vector": "Attack Vector", - "source": "scope3" + "base_score": 6.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "source": "NVD", + "version": "3.1" + }, + { + "base_score": 6.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "source": "NVD", + "version": "3.1" } ], - "related_vulnerabilities": [ - "security" - ], "source": { "url": { - "domain": "cve.mitre.org", - "extension": "cgi", - "original": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111", - "path": "/cgi-bin/cvename.cgi", - "query": "name=CVE-2019-6111", + "domain": "nvd.nist.gov", + "original": "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "path": "/vuln/detail/CVE-2025-22872", "scheme": "https" }, - "value": "example" + "value": "NVD" }, "vendor": { - "created_at": "2022-09-20T19:52:26.405Z", - "updated_at": "2022-09-20T19:52:26.405Z" + "severity": "MEDIUM", + "updated_at": "2025-05-16T23:15:19.000Z" }, "vulnerable_packages": [ { - "arch": "arch", - "epoch": 123, - "file_path": "/example", - "fixed_inversion": "3", - "name": "example", - "package_manager": "BUNDLER", - "release": "release", - "source_layer_hash": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c", - "version": "2.0" + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/kubelet", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.0.5-1.amzn2.0.1", + "name": "nerdctl", + "package_manager": "OS", + "release": "1.amzn2.0.1", + "remediation": "yum update nerdctl", + "version": "2.0.4" } ] }, "remediation": { "recommendation": { - "text": "example", - "url": { - "domain": "cve.mitre.org", - "extension": "cgi", - "original": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111", - "path": "/cgi-bin/cvename.cgi", - "query": "name=CVE-2019-6111", - "scheme": "https" - } + "text": "None Provided" } }, "resources": [ @@ -103,121 +170,217 @@ "details": { "aws": { "ec2_instance": { - "iam_instance_profile_arn": "arn:aws:s3:::iam", - "image_id": "123456789", + "iam_instance_profile_arn": "arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", "ipv4_addresses": [ - "89.160.20.128", - "81.2.69.192" - ], - "ipv6_addresses": [ - "2a02:cf40::" + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" ], - "key_name": "sample", - "launched_at": "2022-09-20T19:52:26.405Z", - "platform": "EC2", - "subnet_id": "123456", - "type": "Instance", - "vpc_id": "3265875" - }, - "ecr_container_image": { - "architecture": "arch", - "author": "example", - "image": { - "hash": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d", - "tags": [ - "sample" - ] - }, - "platform": "ECR", - "pushed_at": "2022-09-20T19:52:26.405Z", - "registry": "ecr registry", - "repository_name": "sample" + "launched_at": "2025-05-29T16:06:08.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef8b", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" } } }, - "id": "12345678", - "partition": "partition", + "id": "i-0fabcdefabcdef50b", + "partition": "aws", + "region": "us-east-2", "tags": { - "string1": "string1", - "string2": "string2" + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" }, "type": "AWS_EC2_INSTANCE" } ], - "severity": "INFORMATIONAL", + "severity": "MEDIUM", "status": "ACTIVE", - "title": "sample findings", - "type": "NETWORK_REACHABILITY" + "transform_unique_id": "CVE-2025-22872|i-0fabcdefabcdef50b|{0=golang.org/x/net, 1=nerdctl}|{0=v0.1.0, 1=v0.30.0, 2=2.0.4}", + "type": "PACKAGE_VULNERABILITY" } }, "cloud": { "account": { - "id": "123456789" + "id": "123456789012" }, - "region": [ - "us-east-1" - ] + "instance": { + "id": "i-0fabcdefabcdef50b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" }, "data_stream": { "dataset": "aws.inspector", - "namespace": "ep", + "namespace": "64174", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "4a3373c9-b63f-4544-a929-761b42f50054", - "snapshot": false, - "version": "8.4.0" + "id": "f39725b1-2457-4583-bd15-dc0a928f195e", + "snapshot": true, + "version": "8.19.0" }, "event": { "agent_id_status": "verified", - "created": "2022-11-17T13:05:04.253Z", + "category": [ + "vulnerability" + ], + "created": "2025-07-15T04:04:32.124Z", "dataset": "aws.inspector", - "ingested": "2022-11-17T13:05:07Z", + "id": "CVE-2025-22872|i-0fabcdefabcdef50b|{0=golang.org/x/net, 1=nerdctl}|{0=v0.1.0, 1=v0.30.0, 2=2.0.4}|2025-06-05T23:23:16.162Z", + "ingested": "2025-07-15T04:04:35Z", "kind": "event", - "original": "{\"awsAccountId\":\"123456789\",\"description\":\"Findins message\",\"findingArn\":\"arn:aws:s3:::sample\",\"firstObservedAt\":\"1.663703546405E9\",\"inspectorScore\":1.2,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[{\"metric\":\"Base\",\"reason\":\"use Base metric\"}],\"cvssSource\":\"scope1\",\"score\":8.9,\"scoreSource\":\"scope2\",\"scoringVector\":\"Attack Vector\",\"version\":\"v3.1\"}},\"lastObservedAt\":\"1.663703546405E9\",\"networkReachabilityDetails\":{\"networkPath\":{\"steps\":[{\"componentId\":\"02ce3860-3126-42af-8ac7-c2a661134129\",\"componentType\":\"type\"}]},\"openPortRange\":{\"begin\":1234,\"end\":4567},\"protocol\":\"TCP\"},\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":1.1,\"scoringVector\":\"Attack Vector\",\"source\":\"scope3\",\"version\":\"v3.1\"}],\"referenceUrls\":[\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\"],\"relatedVulnerabilities\":[\"security\"],\"source\":\"example\",\"sourceUrl\":\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\",\"vendorCreatedAt\":\"1.663703546405E9\",\"vendorSeverity\":\"basic\",\"vendorUpdatedAt\":\"1.663703546405E9\",\"vulnerabilityId\":\"123456789\",\"vulnerablePackages\":[{\"arch\":\"arch\",\"epoch\":123,\"filePath\":\"/example\",\"fixedInVersion\":\"3\",\"name\":\"example\",\"packageManager\":\"BUNDLER\",\"release\":\"release\",\"sourceLayerHash\":\"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c\",\"version\":\"2.0\"}]},\"remediation\":{\"recommendation\":{\"Url\":\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\",\"text\":\"example\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:s3:::iam\",\"imageId\":\"123456789\",\"ipV4Addresses\":[\"89.160.20.128\",\"81.2.69.192\"],\"ipV6Addresses\":[\"2a02:cf40::\"],\"keyName\":\"sample\",\"launchedAt\":\"1.663703546405E9\",\"platform\":\"EC2\",\"subnetId\":\"123456\",\"type\":\"Instance\",\"vpcId\":\"3265875\"},\"awsEcrContainerImage\":{\"architecture\":\"arch\",\"author\":\"example\",\"imageHash\":\"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d\",\"imageTags\":[\"sample\"],\"platform\":\"ECR\",\"pushedAt\":\"1.663703546405E9\",\"registry\":\"ecr registry\",\"repositoryName\":\"sample\"}},\"id\":\"12345678\",\"partition\":\"partition\",\"region\":\"us-east-1\",\"tags\":{\"string1\":\"string1\",\"string2\":\"string2\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"INFORMATIONAL\",\"status\":\"ACTIVE\",\"title\":\"sample findings\",\"type\":\"NETWORK_REACHABILITY\",\"updatedAt\":\"1.663703546405E9\"}", + "original": "{\"awsAccountId\":\"123456789012\",\"description\":\"The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \\u003cmath\\u003e, \\u003csvg\\u003e, etc contexts).\",\"epss\":{\"score\":0.00024},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123456789012:finding/fb6294abcdef0123456789abcdef8123\",\"firstObservedAt\":1748539687.919,\"fixAvailable\":\"YES\",\"inspectorScore\":6.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"NVD\",\"score\":6.5,\"scoreSource\":\"NVD\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"version\":\"3.1\"}},\"lastObservedAt\":1749165796.162,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":6.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"source\":\"NVD\",\"version\":\"3.1\"},{\"baseScore\":6.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA\",\"https://nvd.nist.gov/vuln/detail/CVE-2025-22872\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json\"],\"relatedVulnerabilities\":[],\"source\":\"NVD\",\"sourceUrl\":\"https://nvd.nist.gov/vuln/detail/CVE-2025-22872\",\"vendorCreatedAt\":1744827364,\"vendorSeverity\":\"MEDIUM\",\"vendorUpdatedAt\":1747437319,\"vulnerabilityId\":\"CVE-2025-22872\",\"vulnerablePackages\":[{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.1.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:usr/bin/kubelet\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:2.0.5-1.amzn2.0.1\",\"name\":\"nerdctl\",\"packageManager\":\"OS\",\"release\":\"1.amzn2.0.1\",\"remediation\":\"yum update nerdctl\",\"version\":\"2.0.4\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.1.245\",\"10.90.1.45\",\"10.90.1.168\",\"10.90.1.157\",\"1.128.0.1\",\"10.90.1.103\",\"10.90.1.197\",\"10.90.1.220\",\"10.90.1.86\",\"10.90.1.29\",\"10.90.1.18\",\"10.90.1.181\",\"10.90.1.161\",\"10.90.1.229\",\"10.90.1.108\",\"10.90.1.219\",\"10.90.1.9\",\"10.90.1.106\",\"10.90.1.206\"],\"ipV6Addresses\":[],\"launchedAt\":1748534768,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef8b\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-0fabcdefabcdef50b\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"MEDIUM\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-22872 - golang.org/x/net, golang.org/x/net and 4 more\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749165796.162}", "type": [ "info" ] }, + "host": { + "id": "i-0fabcdefabcdef50b", + "ip": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, "input": { "type": "httpjson" }, - "message": "Findins message", - "network": { - "transport": "tcp" + "message": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).", + "observer": { + "vendor": "Amazon Inspector" }, - "related": { - "hash": [ - "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c", - "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d" + "package": { + "architecture": [ + "X86_64" + ], + "fixed_version": [ + "0.38.0", + "0:2.0.5-1.amzn2.0.1" + ], + "name": [ + "golang.org/x/net", + "nerdctl" + ], + "path": [ + "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", + "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", + "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", + "vol-0e47545061282cd35:/p1:usr/bin/kubelet" ], + "version": [ + "v0.1.0", + "v0.30.0", + "2.0.4" + ] + }, + "related": { "ip": [ - "89.160.20.128", - "81.2.69.192", - "2a02:cf40::" + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" ] }, + "resource": { + "id": "i-0fabcdefabcdef50b", + "type": "AWS_EC2_INSTANCE" + }, "tags": [ "preserve_original_event", "forwarded", "aws-inspector" ], "vulnerability": { - "id": "123456789", + "description": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).", + "id": "CVE-2025-22872", + "published_date": "2025-04-16T18:16:04.000Z", "reference": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111" + "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json" ], + "scanner": { + "vendor": "Amazon Inspector" + }, "score": { - "base": [ - 1.1 - ], - "version": [ - "v3.1" - ] + "base": 6.5, + "version": "3.1" }, - "severity": "basic" + "severity": "Medium", + "title": "CVE-2025-22872 - golang.org/x/net, golang.org/x/net and 4 more" } -} \ No newline at end of file +} diff --git a/packages/aws/docs/inspector.md b/packages/aws/docs/inspector.md index 6430850ce2c..5077e5603ac 100644 --- a/packages/aws/docs/inspector.md +++ b/packages/aws/docs/inspector.md @@ -1,15 +1,19 @@ # Inspector -The [AWS Inspector](https://docs.aws.amazon.com/inspector/) integration collects and parses data from AWS Inspector [Findings](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListFindings.html) REST APIs. +The [Amazon Inspector](https://docs.aws.amazon.com/inspector/) integration collects and parses data from Amazon Inspector [Findings](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListFindings.html) REST APIs. **IMPORTANT: Extra AWS charges on API requests will be generated by this integration. Check [API Requests](https://www.elastic.co/docs/current/integrations/aws#api-requests) for more details.** ## Compatibility +This module is tested against `Amazon Inspector API version 2.0`. - 1. The minimum compatible version of this module is **Elastic Agent 8.4.0**. - 2. This module is tested against `AWS Inspector API version 2.0`. +## Agentless-enabled integration -## To collect data from AWS Inspector API, users must have an Access Key and a Secret Key. To create API token follow below steps: +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +## To collect data from Amazon Inspector API, users must have an Access Key and a Secret Key. To create API token follow below steps: 1. Login to https://console.aws.amazon.com/. 2. Go to https://console.aws.amazon.com/iam/ to access the IAM console. @@ -34,103 +38,170 @@ An example event for `inspector` looks as following: ```json { - "@timestamp": "2022-09-20T19:52:26.405Z", + "@timestamp": "2025-06-05T23:23:16.162Z", "agent": { - "ephemeral_id": "d1032859-fd44-410c-9960-dde7dcbc3a2e", - "id": "4a3373c9-b63f-4544-a929-761b42f50054", - "name": "docker-fleet-agent", + "ephemeral_id": "788993b6-dba1-4abf-a351-971772a30ab3", + "id": "f39725b1-2457-4583-bd15-dc0a928f195e", + "name": "elastic-agent-65036", "type": "filebeat", - "version": "8.4.0" + "version": "8.19.0" }, "aws": { "inspector": { - "finding_arn": "arn:aws:s3:::sample", - "first_observed_at": "2022-09-20T19:52:26.405Z", - "inspector_score": 1.2, + "epss": { + "score": 0.00024 + }, + "exploit_available": "NO", + "finding_arn": "arn:aws:inspector2:us-east-2:123456789012:finding/fb6294abcdef0123456789abcdef8123", + "first_observed_at": "2025-05-29T17:28:07.919Z", + "fix_available": "YES", + "inspector_score": 6.5, "inspector_score_details": { "adjusted_cvss": { - "adjustments": [ - { - "metric": "Base", - "reason": "use Base metric" - } - ], - "cvss_source": "scope1", + "cvss_source": "NVD", "score": { - "source": "scope2", - "value": 8.9 + "source": "NVD" }, - "scoring_vector": "Attack Vector", - "version": "v3.1" + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L" } }, - "last_observed_at": "2022-09-20T19:52:26.405Z", - "network_reachability_details": { - "network_path": { - "steps": [ - { - "component": { - "id": "02ce3860-3126-42af-8ac7-c2a661134129", - "type": "type" - } - } - ] + "last_observed_at": "2025-06-05T23:23:16.162Z", + "package_nested": [ + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" }, - "open_port_range": { - "begin": 1234, - "end": 4567 + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/kubelet", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.0.5-1.amzn2.0.1", + "name": "nerdctl", + "package_manager": "OS", + "release": "1.amzn2.0.1", + "remediation": "yum update nerdctl", + "version": "2.0.4" } - }, + ], "package_vulnerability_details": { "cvss": [ { - "scoring_vector": "Attack Vector", - "source": "scope3" + "base_score": 6.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "source": "NVD", + "version": "3.1" + }, + { + "base_score": 6.5, + "scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", + "source": "NVD", + "version": "3.1" } ], - "related_vulnerabilities": [ - "security" - ], "source": { "url": { - "domain": "cve.mitre.org", - "extension": "cgi", - "original": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111", - "path": "/cgi-bin/cvename.cgi", - "query": "name=CVE-2019-6111", + "domain": "nvd.nist.gov", + "original": "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "path": "/vuln/detail/CVE-2025-22872", "scheme": "https" }, - "value": "example" + "value": "NVD" }, "vendor": { - "created_at": "2022-09-20T19:52:26.405Z", - "updated_at": "2022-09-20T19:52:26.405Z" + "severity": "MEDIUM", + "updated_at": "2025-05-16T23:15:19.000Z" }, "vulnerable_packages": [ { - "arch": "arch", - "epoch": 123, - "file_path": "/example", - "fixed_inversion": "3", - "name": "example", - "package_manager": "BUNDLER", - "release": "release", - "source_layer_hash": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c", - "version": "2.0" + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.1.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "epoch": 0, + "file_path": "vol-0e47545061282cd35:/p1:usr/bin/kubelet", + "fixed_in_version": "0.38.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "version": "v0.30.0" + }, + { + "arch": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.0.5-1.amzn2.0.1", + "name": "nerdctl", + "package_manager": "OS", + "release": "1.amzn2.0.1", + "remediation": "yum update nerdctl", + "version": "2.0.4" } ] }, "remediation": { "recommendation": { - "text": "example", - "url": { - "domain": "cve.mitre.org", - "extension": "cgi", - "original": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111", - "path": "/cgi-bin/cvename.cgi", - "query": "name=CVE-2019-6111", - "scheme": "https" - } + "text": "None Provided" } }, "resources": [ @@ -138,122 +209,218 @@ An example event for `inspector` looks as following: "details": { "aws": { "ec2_instance": { - "iam_instance_profile_arn": "arn:aws:s3:::iam", - "image_id": "123456789", + "iam_instance_profile_arn": "arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012", + "image_id": "ami-0e0f0123456789abd", "ipv4_addresses": [ - "89.160.20.128", - "81.2.69.192" + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" ], - "ipv6_addresses": [ - "2a02:cf40::" - ], - "key_name": "sample", - "launched_at": "2022-09-20T19:52:26.405Z", - "platform": "EC2", - "subnet_id": "123456", - "type": "Instance", - "vpc_id": "3265875" - }, - "ecr_container_image": { - "architecture": "arch", - "author": "example", - "image": { - "hash": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d", - "tags": [ - "sample" - ] - }, - "platform": "ECR", - "pushed_at": "2022-09-20T19:52:26.405Z", - "registry": "ecr registry", - "repository_name": "sample" + "launched_at": "2025-05-29T16:06:08.000Z", + "platform": "AMAZON_LINUX_2", + "subnet_id": "subnet-0ababcdefabcdef8b", + "type": "t3.medium", + "vpc_id": "vpc-04ab0123456789123" } } }, - "id": "12345678", - "partition": "partition", + "id": "i-0fabcdefabcdef50b", + "partition": "aws", + "region": "us-east-2", "tags": { - "string1": "string1", - "string2": "string2" + "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "sei_demo_prod", + "eks:cluster-name": "sei_demo_prod", + "eks:nodegroup-name": "sei_demo_prod_linux", + "k8s.io/cluster-autoscaler/enabled": "true", + "k8s.io/cluster-autoscaler/sei_demo_prod": "owned", + "kubernetes.io/cluster/sei_demo_prod": "owned" }, "type": "AWS_EC2_INSTANCE" } ], - "severity": "INFORMATIONAL", + "severity": "MEDIUM", "status": "ACTIVE", - "title": "sample findings", - "type": "NETWORK_REACHABILITY" + "transform_unique_id": "CVE-2025-22872|i-0fabcdefabcdef50b|{0=golang.org/x/net, 1=nerdctl}|{0=v0.1.0, 1=v0.30.0, 2=2.0.4}", + "type": "PACKAGE_VULNERABILITY" } }, "cloud": { "account": { - "id": "123456789" + "id": "123456789012" }, - "region": [ - "us-east-1" - ] + "instance": { + "id": "i-0fabcdefabcdef50b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2" }, "data_stream": { "dataset": "aws.inspector", - "namespace": "ep", + "namespace": "64174", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "4a3373c9-b63f-4544-a929-761b42f50054", - "snapshot": false, - "version": "8.4.0" + "id": "f39725b1-2457-4583-bd15-dc0a928f195e", + "snapshot": true, + "version": "8.19.0" }, "event": { "agent_id_status": "verified", - "created": "2022-11-17T13:05:04.253Z", + "category": [ + "vulnerability" + ], + "created": "2025-07-15T04:04:32.124Z", "dataset": "aws.inspector", - "ingested": "2022-11-17T13:05:07Z", + "id": "CVE-2025-22872|i-0fabcdefabcdef50b|{0=golang.org/x/net, 1=nerdctl}|{0=v0.1.0, 1=v0.30.0, 2=2.0.4}|2025-06-05T23:23:16.162Z", + "ingested": "2025-07-15T04:04:35Z", "kind": "event", - "original": "{\"awsAccountId\":\"123456789\",\"description\":\"Findins message\",\"findingArn\":\"arn:aws:s3:::sample\",\"firstObservedAt\":\"1.663703546405E9\",\"inspectorScore\":1.2,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[{\"metric\":\"Base\",\"reason\":\"use Base metric\"}],\"cvssSource\":\"scope1\",\"score\":8.9,\"scoreSource\":\"scope2\",\"scoringVector\":\"Attack Vector\",\"version\":\"v3.1\"}},\"lastObservedAt\":\"1.663703546405E9\",\"networkReachabilityDetails\":{\"networkPath\":{\"steps\":[{\"componentId\":\"02ce3860-3126-42af-8ac7-c2a661134129\",\"componentType\":\"type\"}]},\"openPortRange\":{\"begin\":1234,\"end\":4567},\"protocol\":\"TCP\"},\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":1.1,\"scoringVector\":\"Attack Vector\",\"source\":\"scope3\",\"version\":\"v3.1\"}],\"referenceUrls\":[\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\"],\"relatedVulnerabilities\":[\"security\"],\"source\":\"example\",\"sourceUrl\":\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\",\"vendorCreatedAt\":\"1.663703546405E9\",\"vendorSeverity\":\"basic\",\"vendorUpdatedAt\":\"1.663703546405E9\",\"vulnerabilityId\":\"123456789\",\"vulnerablePackages\":[{\"arch\":\"arch\",\"epoch\":123,\"filePath\":\"/example\",\"fixedInVersion\":\"3\",\"name\":\"example\",\"packageManager\":\"BUNDLER\",\"release\":\"release\",\"sourceLayerHash\":\"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c\",\"version\":\"2.0\"}]},\"remediation\":{\"recommendation\":{\"Url\":\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111\",\"text\":\"example\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:s3:::iam\",\"imageId\":\"123456789\",\"ipV4Addresses\":[\"89.160.20.128\",\"81.2.69.192\"],\"ipV6Addresses\":[\"2a02:cf40::\"],\"keyName\":\"sample\",\"launchedAt\":\"1.663703546405E9\",\"platform\":\"EC2\",\"subnetId\":\"123456\",\"type\":\"Instance\",\"vpcId\":\"3265875\"},\"awsEcrContainerImage\":{\"architecture\":\"arch\",\"author\":\"example\",\"imageHash\":\"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d\",\"imageTags\":[\"sample\"],\"platform\":\"ECR\",\"pushedAt\":\"1.663703546405E9\",\"registry\":\"ecr registry\",\"repositoryName\":\"sample\"}},\"id\":\"12345678\",\"partition\":\"partition\",\"region\":\"us-east-1\",\"tags\":{\"string1\":\"string1\",\"string2\":\"string2\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"INFORMATIONAL\",\"status\":\"ACTIVE\",\"title\":\"sample findings\",\"type\":\"NETWORK_REACHABILITY\",\"updatedAt\":\"1.663703546405E9\"}", + "original": "{\"awsAccountId\":\"123456789012\",\"description\":\"The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \\u003cmath\\u003e, \\u003csvg\\u003e, etc contexts).\",\"epss\":{\"score\":0.00024},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-2:123456789012:finding/fb6294abcdef0123456789abcdef8123\",\"firstObservedAt\":1748539687.919,\"fixAvailable\":\"YES\",\"inspectorScore\":6.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"NVD\",\"score\":6.5,\"scoreSource\":\"NVD\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"version\":\"3.1\"}},\"lastObservedAt\":1749165796.162,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":6.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"source\":\"NVD\",\"version\":\"3.1\"},{\"baseScore\":6.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA\",\"https://nvd.nist.gov/vuln/detail/CVE-2025-22872\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html\",\"https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json\"],\"relatedVulnerabilities\":[],\"source\":\"NVD\",\"sourceUrl\":\"https://nvd.nist.gov/vuln/detail/CVE-2025-22872\",\"vendorCreatedAt\":1744827364,\"vendorSeverity\":\"MEDIUM\",\"vendorUpdatedAt\":1747437319,\"vulnerabilityId\":\"CVE-2025-22872\",\"vulnerablePackages\":[{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.1.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"epoch\":0,\"filePath\":\"vol-0e47545061282cd35:/p1:usr/bin/kubelet\",\"fixedInVersion\":\"0.38.0\",\"name\":\"golang.org/x/net\",\"packageManager\":\"GOBINARY\",\"version\":\"v0.30.0\"},{\"arch\":\"X86_64\",\"epoch\":0,\"fixedInVersion\":\"0:2.0.5-1.amzn2.0.1\",\"name\":\"nerdctl\",\"packageManager\":\"OS\",\"release\":\"1.amzn2.0.1\",\"remediation\":\"yum update nerdctl\",\"version\":\"2.0.4\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEc2Instance\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012\",\"imageId\":\"ami-0e0f0123456789abd\",\"ipV4Addresses\":[\"10.90.1.245\",\"10.90.1.45\",\"10.90.1.168\",\"10.90.1.157\",\"1.128.0.1\",\"10.90.1.103\",\"10.90.1.197\",\"10.90.1.220\",\"10.90.1.86\",\"10.90.1.29\",\"10.90.1.18\",\"10.90.1.181\",\"10.90.1.161\",\"10.90.1.229\",\"10.90.1.108\",\"10.90.1.219\",\"10.90.1.9\",\"10.90.1.106\",\"10.90.1.206\"],\"ipV6Addresses\":[],\"launchedAt\":1748534768,\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-0ababcdefabcdef8b\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-04ab0123456789123\"}},\"id\":\"i-0fabcdefabcdef50b\",\"partition\":\"aws\",\"region\":\"us-east-2\",\"tags\":{\"aws:autoscaling:groupName\":\"eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896\",\"aws:ec2launchtemplate:version\":\"6\",\"aws:eks:cluster-name\":\"sei_demo_prod\",\"eks:cluster-name\":\"sei_demo_prod\",\"eks:nodegroup-name\":\"sei_demo_prod_linux\",\"k8s.io/cluster-autoscaler/enabled\":\"true\",\"k8s.io/cluster-autoscaler/sei_demo_prod\":\"owned\",\"kubernetes.io/cluster/sei_demo_prod\":\"owned\"},\"type\":\"AWS_EC2_INSTANCE\"}],\"severity\":\"MEDIUM\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-22872 - golang.org/x/net, golang.org/x/net and 4 more\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1749165796.162}", "type": [ "info" ] }, + "host": { + "id": "i-0fabcdefabcdef50b", + "ip": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ], + "os": { + "platform": "AMAZON_LINUX_2", + "type": "linux" + }, + "type": "t3.medium" + }, "input": { "type": "httpjson" }, - "message": "Findins message", - "network": { - "transport": "tcp" + "message": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).", + "observer": { + "vendor": "Amazon Inspector" }, - "related": { - "hash": [ - "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c", - "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d" + "package": { + "architecture": [ + "X86_64" + ], + "fixed_version": [ + "0.38.0", + "0:2.0.5-1.amzn2.0.1" + ], + "name": [ + "golang.org/x/net", + "nerdctl" + ], + "path": [ + "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", + "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", + "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", + "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", + "vol-0e47545061282cd35:/p1:usr/bin/kubelet" ], + "version": [ + "v0.1.0", + "v0.30.0", + "2.0.4" + ] + }, + "related": { "ip": [ - "89.160.20.128", - "81.2.69.192", - "2a02:cf40::" + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" ] }, + "resource": { + "id": "i-0fabcdefabcdef50b", + "type": "AWS_EC2_INSTANCE" + }, "tags": [ "preserve_original_event", "forwarded", "aws-inspector" ], "vulnerability": { - "id": "123456789", + "description": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).", + "id": "CVE-2025-22872", + "published_date": "2025-04-16T18:16:04.000Z", "reference": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111" + "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA", + "https://nvd.nist.gov/vuln/detail/CVE-2025-22872", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html", + "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json", + "https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html", + "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json" ], + "scanner": { + "vendor": "Amazon Inspector" + }, "score": { - "base": [ - 1.1 - ], - "version": [ - "v3.1" - ] + "base": 6.5, + "version": "3.1" }, - "severity": "basic" + "severity": "Medium", + "title": "CVE-2025-22872 - golang.org/x/net, golang.org/x/net and 4 more" } } ``` @@ -266,9 +433,23 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | aws.inspector.aws_account_id | The AWS account ID associated with the finding. | keyword | +| aws.inspector.code_vulnerability_details.cwes | The Common Weakness Enumeration (CWE) item associated with the detected vulnerability. | keyword | +| aws.inspector.code_vulnerability_details.detector_id | The ID for the Amazon CodeGuru detector associated with the finding. For more information on detectors see Amazon CodeGuru Detector Library. | keyword | +| aws.inspector.code_vulnerability_details.detector_name | The name of the detector used to identify the code vulnerability. For more information on detectors see CodeGuru Detector Library. | keyword | +| aws.inspector.code_vulnerability_details.detector_tags | The detector tag associated with the vulnerability. Detector tags group related vulnerabilities by common themes or tactics. For a list of available tags by programming language, see Java tags, or Python tags. | keyword | +| aws.inspector.code_vulnerability_details.file_path.end_line | The line number of the last line of code that a vulnerability was found in. | long | +| aws.inspector.code_vulnerability_details.file_path.name | The name of the file the code vulnerability was found in. | keyword | +| aws.inspector.code_vulnerability_details.file_path.path | The file path to the code that a vulnerability was found in. | keyword | +| aws.inspector.code_vulnerability_details.file_path.start_line | The line number of the first line of code that a vulnerability was found in. | long | +| aws.inspector.code_vulnerability_details.reference_urls | A URL containing supporting documentation about the code vulnerability detected. | keyword | +| aws.inspector.code_vulnerability_details.rule_id | The identifier for a rule that was used to detect the code vulnerability. | keyword | +| aws.inspector.code_vulnerability_details.source_lambda_layer_arn | The Amazon Resource Name (ARN) of the Lambda layer that the code vulnerability was detected in. | keyword | | aws.inspector.description | The description of the finding. | text | +| aws.inspector.epss.score | The EPSS score. | double | +| aws.inspector.exploit_available | If a finding discovered in your environment has an exploit available. | keyword | +| aws.inspector.exploitability_details.last_known_exploit_at | The date and time of the last exploit associated with a finding discovered in your environment. | date | | aws.inspector.finding_arn | The Amazon Resource Number (ARN) of the finding. | keyword | | aws.inspector.first_observed_at | The date and time that the finding was first observed. | date | | aws.inspector.fix_available | Details on whether a fix is available through a version update. This value can be YES, NO, or PARTIAL. A PARTIAL fix means that some, but not all, of the packages identified in the finding have fixes available through updated versions. | keyword | @@ -281,11 +462,23 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.inspector.inspector_score_details.adjusted_cvss.scoring_vector | The vector for the CVSS score. | keyword | | aws.inspector.inspector_score_details.adjusted_cvss.version | The CVSS version used in scoring. | keyword | | aws.inspector.last_observed_at | The date and time that the finding was last observed. | date | +| aws.inspector.network_reachability_details.network_path.steps.component.arn | The component ARN. The ARN can be null and is not displayed in the AWS console. | keyword | | aws.inspector.network_reachability_details.network_path.steps.component.id | The component ID. | keyword | | aws.inspector.network_reachability_details.network_path.steps.component.type | The component type. | keyword | | aws.inspector.network_reachability_details.open_port_range.begin | The beginning port in a port range. | long | | aws.inspector.network_reachability_details.open_port_range.end | The ending port in a port range. | long | | aws.inspector.network_reachability_details.protocol | The protocol associated with a finding. | keyword | +| aws.inspector.package_nested.arch | The architecture of the vulnerable package. | keyword | +| aws.inspector.package_nested.epoch | The epoch of the vulnerable package. | long | +| aws.inspector.package_nested.file_path | The file path of the vulnerable package. | keyword | +| aws.inspector.package_nested.fixed_in_version | The version of the package that contains the vulnerability fix. | keyword | +| aws.inspector.package_nested.name | The name of the vulnerable package. | keyword | +| aws.inspector.package_nested.package_manager | The package manager of the vulnerable package. | keyword | +| aws.inspector.package_nested.release | The release of the vulnerable package. | keyword | +| aws.inspector.package_nested.remediation | The code to run in your environment to update packages with a fix available. | keyword | +| aws.inspector.package_nested.source_lambda_layer_arn | The Amazon Resource Number (ARN) of the AWS Lambda function affected by a finding. | keyword | +| aws.inspector.package_nested.source_layer_hash | The source layer hash of the vulnerable package. | keyword | +| aws.inspector.package_nested.version | The version of the vulnerable package. | keyword | | aws.inspector.package_vulnerability_details.cvss.base_score | The base CVSS score used for the finding. | double | | aws.inspector.package_vulnerability_details.cvss.scoring_vector | The vector string of the CVSS score. | keyword | | aws.inspector.package_vulnerability_details.cvss.source | The source of the CVSS score. | keyword | @@ -306,10 +499,12 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.inspector.package_vulnerability_details.vulnerable_packages.arch | The architecture of the vulnerable package. | keyword | | aws.inspector.package_vulnerability_details.vulnerable_packages.epoch | The epoch of the vulnerable package. | long | | aws.inspector.package_vulnerability_details.vulnerable_packages.file_path | The file path of the vulnerable package. | keyword | -| aws.inspector.package_vulnerability_details.vulnerable_packages.fixed_inversion | The version of the package that contains the vulnerability fix. | keyword | +| aws.inspector.package_vulnerability_details.vulnerable_packages.fixed_in_version | The version of the package that contains the vulnerability fix. | keyword | | aws.inspector.package_vulnerability_details.vulnerable_packages.name | The name of the vulnerable package. | keyword | | aws.inspector.package_vulnerability_details.vulnerable_packages.package_manager | The package manager of the vulnerable package. | keyword | | aws.inspector.package_vulnerability_details.vulnerable_packages.release | The release of the vulnerable package. | keyword | +| aws.inspector.package_vulnerability_details.vulnerable_packages.remediation | The code to run in your environment to update packages with a fix available. | keyword | +| aws.inspector.package_vulnerability_details.vulnerable_packages.source_lambda_layer_arn | The Amazon Resource Number (ARN) of the AWS Lambda function affected by a finding. | keyword | | aws.inspector.package_vulnerability_details.vulnerable_packages.source_layer_hash | The source layer hash of the vulnerable package. | keyword | | aws.inspector.package_vulnerability_details.vulnerable_packages.version | The version of the vulnerable package. | keyword | | aws.inspector.remediation.recommendation.text | The recommended course of action to remediate the finding. | keyword | @@ -333,10 +528,27 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.inspector.resources.details.aws.ecr_container_image.author | The image author of the Amazon ECR container image. | keyword | | aws.inspector.resources.details.aws.ecr_container_image.image.hash | The image hash of the Amazon ECR container image. | keyword | | aws.inspector.resources.details.aws.ecr_container_image.image.tags | The image tags attached to the Amazon ECR container image. | keyword | +| aws.inspector.resources.details.aws.ecr_container_image.in_use_count | The number of Amazon ECS tasks or Amazon EKS pods where the Amazon ECR container image is in use. | long | +| aws.inspector.resources.details.aws.ecr_container_image.last_in_use_at | The last time an Amazon ECR image was used in an Amazon ECS task or Amazon EKS pod. | date | | aws.inspector.resources.details.aws.ecr_container_image.platform | The platform of the Amazon ECR container image. | keyword | | aws.inspector.resources.details.aws.ecr_container_image.pushed_at | The date and time the Amazon ECR container image was pushed. | date | | aws.inspector.resources.details.aws.ecr_container_image.registry | The registry the Amazon ECR container image belongs to. | keyword | | aws.inspector.resources.details.aws.ecr_container_image.repository_name | The name of the repository the Amazon ECR container image resides in. | keyword | +| aws.inspector.resources.details.aws.lambda_function.architectures | The instruction set architecture that the AWS Lambda function supports. Architecture is a string array with one of the valid values. The default architecture value is x86_64. | keyword | +| aws.inspector.resources.details.aws.lambda_function.code_sha256 | The SHA256 hash of the AWS Lambda function's deployment package. | keyword | +| aws.inspector.resources.details.aws.lambda_function.execution_role_arn | The AWS Lambda function's execution role. | keyword | +| aws.inspector.resources.details.aws.lambda_function.function_name | The name of the AWS Lambda function. | keyword | +| aws.inspector.resources.details.aws.lambda_function.last_modified_at | The date and time that a user last updated the configuration, in ISO 8601 format. | date | +| aws.inspector.resources.details.aws.lambda_function.layers | The AWS Lambda function's layers. A Lambda function can have up to five layers. | keyword | +| aws.inspector.resources.details.aws.lambda_function.package_type | The type of deployment package. Set to Image for container image and set Zip for .zip file archive. | keyword | +| aws.inspector.resources.details.aws.lambda_function.runtime | The runtime environment for the AWS Lambda function. | keyword | +| aws.inspector.resources.details.aws.lambda_function.version | The version of the AWS Lambda function. | keyword | +| aws.inspector.resources.details.aws.lambda_function.vpc_config.security_group_ids | The VPC security groups and subnets that are attached to an AWS Lambda function. For more information, see VPC Settings. | keyword | +| aws.inspector.resources.details.aws.lambda_function.vpc_config.subnet_ids | A list of VPC subnet IDs. | keyword | +| aws.inspector.resources.details.aws.lambda_function.vpc_config.vpc_id | The ID of the VPC. | keyword | +| aws.inspector.resources.details.code_repository.integration_arn | The Amazon Resource Name (ARN) of the code security integration associated with the repository. | keyword | +| aws.inspector.resources.details.code_repository.project_name | The name of the project in the code repository. | keyword | +| aws.inspector.resources.details.code_repository.provider_type | The type of repository provider (such as GitHub, GitLab, etc.). | keyword | | aws.inspector.resources.id | The ID of the resource. | keyword | | aws.inspector.resources.partition | The partition of the resource. | keyword | | aws.inspector.resources.region | The AWS Region the impacted resource is located in. | keyword | @@ -345,16 +557,30 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.inspector.severity | The severity of the finding. | keyword | | aws.inspector.status | The status of the finding. | keyword | | aws.inspector.title | The title of the finding. | keyword | +| aws.inspector.transform_unique_id | | keyword | | aws.inspector.type | The type of the finding. | keyword | | aws.inspector.updated_at | The date and time the finding was last updated at. | date | | cloud.image.id | Image ID for the cloud instance. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| event.module | Event module. | constant_keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | host.containerized | If the host is a container. | boolean | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | input.type | Input type | keyword | +| log.file.device_id | Device Id of the log file this event came from. | keyword | +| log.file.inode | Inode number of the log file. | keyword | +| log.file.path | Path to the log file. | keyword | | log.offset | Log offset | long | +| observer.vendor | Vendor name of the observer. | constant_keyword | +| package.fixed_version | In which version of the package the vulnerability was fixed. | keyword | +| resource.id | The ID of the vulnerable resource. | keyword | +| resource.name | The name of the vulnerable resource. | keyword | +| resource.type | The type of the vulnerable resource. | keyword | +| vulnerability.cve | The CVE id of the vulnerability. | keyword | +| vulnerability.published_date | When the vulnerability was published. | date | +| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | constant_keyword | +| vulnerability.title | The human readeable title of the vulnerability. | keyword | diff --git a/packages/aws/img/inspector-ec2-ecr-overview-dashboard.png b/packages/aws/img/inspector-ec2-ecr-overview-dashboard.png new file mode 100644 index 00000000000..159e2b92fcb Binary files /dev/null and b/packages/aws/img/inspector-ec2-ecr-overview-dashboard.png differ diff --git a/packages/aws/img/inspector-findings-overview-dashboard.png b/packages/aws/img/inspector-findings-overview-dashboard.png new file mode 100644 index 00000000000..4ba5314e356 Binary files /dev/null and b/packages/aws/img/inspector-findings-overview-dashboard.png differ diff --git a/packages/aws/img/inspector-screenshot.png b/packages/aws/img/inspector-screenshot.png deleted file mode 100644 index 56de930b5a8..00000000000 Binary files a/packages/aws/img/inspector-screenshot.png and /dev/null differ diff --git a/packages/aws/img/inspector-severity-dashboard.png b/packages/aws/img/inspector-severity-dashboard.png new file mode 100644 index 00000000000..003ef9696c5 Binary files /dev/null and b/packages/aws/img/inspector-severity-dashboard.png differ diff --git a/packages/aws/img/inspector-vulnerabilities-dashboard.png b/packages/aws/img/inspector-vulnerabilities-dashboard.png new file mode 100644 index 00000000000..6f66f08c400 Binary files /dev/null and b/packages/aws/img/inspector-vulnerabilities-dashboard.png differ diff --git a/packages/aws/kibana/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b.json b/packages/aws/kibana/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b.json index 4d9344670c3..aaa994df3cd 100644 --- a/packages/aws/kibana/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b.json +++ b/packages/aws/kibana/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b.json @@ -3,11 +3,34 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"5de52701-f68f-43d6-b708-9ee6215f945a\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"aws.inspector.severity\",\"parentFieldName\":\"aws.inspector.severity\",\"title\":\"AWS Inspector Findings Severity\",\"id\":\"5de52701-f68f-43d6-b708-9ee6215f945a\",\"selectedOptions\":[],\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "5de52701-f68f-43d6-b708-9ee6215f945a": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "aws.inspector.severity", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "AWS Inspector Findings Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "large" + } + }, + "showApplySelections": false }, "description": "Overview of AWS Inspector Findings logs.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -42,6 +65,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -58,7 +82,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "6b39ae60-44af-44ec-89ce-9d0e344b839b": { "columnOrder": [ @@ -116,15 +140,17 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "c57df882-ee88-4a45-bad1-a6e37fd66f0b" - ], "layerId": "6b39ae60-44af-44ec-89ce-9d0e344b839b", "layerType": "data", "legendDisplay": "show", - "metric": "8aa1dbfa-dfa6-42c3-af56-1f9540982d76", + "metrics": [ + "8aa1dbfa-dfa6-42c3-af56-1f9540982d76" + ], "nestedLegend": false, "numberDisplay": "percent", + "primaryGroups": [ + "c57df882-ee88-4a45-bad1-a6e37fd66f0b" + ], "truncateLegend": false } ], @@ -133,8 +159,20 @@ }, "visualizationType": "lnsPie" }, - "enhancements": {}, - "hidePanelTitles": false + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -145,8 +183,7 @@ }, "panelIndex": "2c9f6be4-d000-4aae-a20e-3276e296a95a", "title": "Distribution of Findings by Status [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -160,7 +197,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1dae6ff8-1a46-42dc-8e3c-7c6f597f71d2": { "columnOrder": [ @@ -196,10 +233,22 @@ "layerType": "data" } }, - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } }, - "enhancements": {}, - "hidePanelTitles": false + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -210,8 +259,7 @@ }, "panelIndex": "e0d79f79-7160-4106-980b-9bfbbd384a48", "title": "Total Findings Count [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -225,7 +273,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "6b39ae60-44af-44ec-89ce-9d0e344b839b": { "columnOrder": [ @@ -282,16 +330,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "c57df882-ee88-4a45-bad1-a6e37fd66f0b" - ], "layerId": "6b39ae60-44af-44ec-89ce-9d0e344b839b", "layerType": "data", "legendDisplay": "show", "legendSize": "xlarge", - "metric": "8aa1dbfa-dfa6-42c3-af56-1f9540982d76", + "metrics": [ + "8aa1dbfa-dfa6-42c3-af56-1f9540982d76" + ], "nestedLegend": false, "numberDisplay": "percent", + "primaryGroups": [ + "c57df882-ee88-4a45-bad1-a6e37fd66f0b" + ], "truncateLegend": false } ], @@ -302,8 +352,20 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {}, - "hidePanelTitles": false + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -314,8 +376,7 @@ }, "panelIndex": "736a3ccc-8ced-4619-a703-b646564b3849", "title": "Distribution of Findings by Type [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -329,7 +390,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "330d4bd7-3d50-4661-aaeb-6239e9afbd85": { "columnOrder": [ @@ -386,15 +447,17 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "7fd0f4ce-5c8b-4f17-aff7-1c68f6e05525" - ], "layerId": "330d4bd7-3d50-4661-aaeb-6239e9afbd85", "layerType": "data", "legendDisplay": "show", - "metric": "dfba9e56-fb69-439c-841f-84cf8d6b3ea6", + "metrics": [ + "dfba9e56-fb69-439c-841f-84cf8d6b3ea6" + ], "nestedLegend": false, "numberDisplay": "percent", + "primaryGroups": [ + "7fd0f4ce-5c8b-4f17-aff7-1c68f6e05525" + ], "truncateLegend": false } ], @@ -403,8 +466,20 @@ }, "visualizationType": "lnsPie" }, - "enhancements": {}, - "hidePanelTitles": false + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -415,24 +490,7 @@ }, "panelIndex": "6c7ebad2-7916-4969-b4fe-8f26dc3655d9", "title": "Distribution of Findings by Network Protocol [Logs Inspector]", - "type": "lens", - "version": "8.4.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "a3dbcb3a-e56a-43bb-bf34-e05a3e61e4c0", - "w": 24, - "x": 24, - "y": 34 - }, - "panelIndex": "a3dbcb3a-e56a-43bb-bf34-e05a3e61e4c0", - "panelRefName": "panel_a3dbcb3a-e56a-43bb-bf34-e05a3e61e4c0", - "type": "search", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -445,8 +503,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b2cd46b9-b4fd-4940-9d35-567844a01b5f": { "columnOrder": [ @@ -471,10 +530,11 @@ "parentFormat": { "id": "terms" }, + "secondaryFields": [], "size": 10 }, "scale": "ordinal", - "sourceField": "aws.inspector.title" + "sourceField": "vulnerability.title" }, "e9633195-636f-4935-8348-fac4365bfa5e": { "customLabel": true, @@ -495,6 +555,7 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -519,8 +580,20 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {}, - "hidePanelTitles": false + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -531,12 +604,15 @@ }, "panelIndex": "b7c5bf1e-b774-455f-8fbc-07e2e31f092e", "title": "Top 10 Findings Title with Highest Inspector Score [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "savedVis": { "data": { "aggs": [], @@ -551,9 +627,10 @@ "description": "", "params": { "fontSize": 13, - "markdown": "[Inspector Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ", + "markdown": "**Inspector Findings Overview Dashboard** | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ", "openLinksInNewTab": true }, + "title": "", "type": "markdown", "uiState": {} } @@ -567,25 +644,48 @@ }, "panelIndex": "76a6efa7-5420-473d-b856-cf972834b31b", "title": "Dashboards [Logs Inspector]", - "type": "visualization", - "version": "8.4.0" + "type": "visualization" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 15, + "i": "7d8c7665-cc3d-4767-ab31-9b50a0e046a2", + "w": 24, + "x": 24, + "y": 34 + }, + "panelIndex": "7d8c7665-cc3d-4767-ab31-9b50a0e046a2", + "panelRefName": "panel_7d8c7665-cc3d-4767-ab31-9b50a0e046a2", + "title": "Findings Essential Details [Logs Inspector]", + "type": "search" } ], "timeRestore": false, "title": "[Logs AWS] Inspector Findings Overview", - "version": 1 + "version": 3 }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-06-24T13:48:21.048Z", "id": "aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b", - "migrationVersion": { - "dashboard": "8.4.0" - }, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, + { + "id": "aws-b789513e-47bd-4d48-bc66-7713bebfc313", + "name": "7d8c7665-cc3d-4767-ab31-9b50a0e046a2:panel_7d8c7665-cc3d-4767-ab31-9b50a0e046a2", + "type": "search" + }, { "id": "logs-*", "name": "2c9f6be4-d000-4aae-a20e-3276e296a95a:indexpattern-datasource-layer-6b39ae60-44af-44ec-89ce-9d0e344b839b", @@ -606,11 +706,6 @@ "name": "6c7ebad2-7916-4969-b4fe-8f26dc3655d9:indexpattern-datasource-layer-330d4bd7-3d50-4661-aaeb-6239e9afbd85", "type": "index-pattern" }, - { - "id": "aws-395fef40-5a52-11ed-a807-bd2da8f2e79b", - "name": "a3dbcb3a-e56a-43bb-bf34-e05a3e61e4c0:panel_a3dbcb3a-e56a-43bb-bf34-e05a3e61e4c0", - "type": "search" - }, { "id": "logs-*", "name": "b7c5bf1e-b774-455f-8fbc-07e2e31f092e:indexpattern-datasource-layer-b2cd46b9-b4fd-4940-9d35-567844a01b5f", @@ -620,7 +715,23 @@ "id": "logs-*", "name": "controlGroup_5de52701-f68f-43d6-b708-9ee6215f945a:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-aws-security-solution-default", + "type": "tag" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/aws/kibana/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139.json b/packages/aws/kibana/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139.json index 25f81508e01..9283a00e929 100644 --- a/packages/aws/kibana/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139.json +++ b/packages/aws/kibana/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139.json @@ -3,11 +3,34 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"8c8c8996-6862-4a4d-9726-f4500f1ea571\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"AWS Inspector Findings Severity\",\"fieldName\":\"aws.inspector.severity\",\"id\":\"8c8c8996-6862-4a4d-9726-f4500f1ea571\",\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "8c8c8996-6862-4a4d-9726-f4500f1ea571": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "aws.inspector.severity", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "AWS Inspector Findings Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "large" + } + }, + "showApplySelections": false }, "description": "Overview of AWS Inspector Vulnerabilities.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -42,6 +65,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -58,7 +82,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b2cd46b9-b4fd-4940-9d35-567844a01b5f": { "columnOrder": [ @@ -130,7 +154,19 @@ }, "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -141,8 +177,7 @@ }, "panelIndex": "dd29b1be-2713-4758-bef1-9c310b4a8e1a", "title": "Top 10 Vulnerability CVSS Source with Highest CVSS Score [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -155,13 +190,14 @@ }, { "id": "logs-*", - "name": "70dabf72-dffc-47df-b5d3-c77b70cf123c", + "name": "61920bc2-7699-405e-bfd6-06d04ddf46a0", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "fe831232-3ace-47b6-98d3-668b72da68cf": { "columnOrder": [ @@ -224,7 +260,7 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "aws.inspector.package_vulnerability_details.vulnerable_packages.name" + "sourceField": "package.name" } }, "incompleteColumns": {} @@ -240,7 +276,7 @@ "meta": { "alias": null, "disabled": false, - "index": "70dabf72-dffc-47df-b5d3-c77b70cf123c", + "index": "61920bc2-7699-405e-bfd6-06d04ddf46a0", "key": "aws.inspector.severity", "negate": false, "params": { @@ -255,6 +291,7 @@ } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -279,9 +316,45 @@ "layerType": "data" } }, + "title": "", + "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "key": "aws.inspector.severity", + "negate": false, + "params": { + "query": "CRITICAL" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "aws.inspector.severity": "CRITICAL" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -292,12 +365,16 @@ }, "panelIndex": "896a3082-c44b-456c-a144-0ce096c0a213", "title": "Vulnerabilities Package Name with Most Critical Findings [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { - "enhancements": {} + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } }, "gridData": { "h": 15, @@ -308,12 +385,16 @@ }, "panelIndex": "1bd92e14-3902-4a5b-bc32-86952f9fdfb0", "panelRefName": "panel_1bd92e14-3902-4a5b-bc32-86952f9fdfb0", - "type": "search", - "version": "8.4.0" + "title": "Findings Package Vulnerability Essential Details [Logs Inspector]", + "type": "search" }, { "embeddableConfig": { - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "savedVis": { "data": { "aggs": [], @@ -328,9 +409,10 @@ "description": "", "params": { "fontSize": 13, - "markdown": "[Inspector Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ", + "markdown": "[Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | **Inspector Vulnerabilities Dashboard** | [Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ", "openLinksInNewTab": true }, + "title": "", "type": "markdown", "uiState": {} } @@ -344,25 +426,27 @@ }, "panelIndex": "858f6288-7c54-4d7a-be33-374a9d79d1e4", "title": "Dashboards [Logs Inspector]", - "type": "visualization", - "version": "8.4.0" + "type": "visualization" } ], "timeRestore": false, "title": "[Logs AWS] Inspector Vulnerabilities", - "version": 1 + "version": 3 }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-06-24T13:48:21.048Z", "id": "aws-383d4630-63df-11ed-be08-4b4db5223139", - "migrationVersion": { - "dashboard": "8.4.0" - }, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, + { + "id": "aws-dffd2200-5a52-11ed-a807-bd2da8f2e79b", + "name": "1bd92e14-3902-4a5b-bc32-86952f9fdfb0:panel_1bd92e14-3902-4a5b-bc32-86952f9fdfb0", + "type": "search" + }, { "id": "logs-*", "name": "dd29b1be-2713-4758-bef1-9c310b4a8e1a:indexpattern-datasource-layer-b2cd46b9-b4fd-4940-9d35-567844a01b5f", @@ -375,19 +459,30 @@ }, { "id": "logs-*", - "name": "896a3082-c44b-456c-a144-0ce096c0a213:70dabf72-dffc-47df-b5d3-c77b70cf123c", + "name": "896a3082-c44b-456c-a144-0ce096c0a213:61920bc2-7699-405e-bfd6-06d04ddf46a0", "type": "index-pattern" }, { - "id": "aws-dffd2200-5a52-11ed-a807-bd2da8f2e79b", - "name": "1bd92e14-3902-4a5b-bc32-86952f9fdfb0:panel_1bd92e14-3902-4a5b-bc32-86952f9fdfb0", - "type": "search" + "id": "logs-*", + "name": "controlGroup_8c8c8996-6862-4a4d-9726-f4500f1ea571:optionsListDataView", + "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_8c8c8996-6862-4a4d-9726-f4500f1ea571:optionsListDataView", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-aws-security-solution-default", + "type": "tag" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/aws/kibana/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139.json b/packages/aws/kibana/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139.json index 91357e41553..0b39f8990c4 100644 --- a/packages/aws/kibana/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139.json +++ b/packages/aws/kibana/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139.json @@ -3,11 +3,34 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"971955cf-ae41-4e9f-b609-63362a1fc426\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"aws.inspector.severity\",\"title\":\"AWS Inspector Findings Severity\",\"id\":\"971955cf-ae41-4e9f-b609-63362a1fc426\",\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "971955cf-ae41-4e9f-b609-63362a1fc426": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "aws.inspector.severity", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "AWS Inspector Findings Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "large" + } + }, + "showApplySelections": false }, "description": "Overview of AWS Inspector Severity.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -42,6 +65,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -58,7 +82,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4157dbfd-2795-4386-9327-b3b761a2017d": { "columnOrder": [ @@ -144,7 +168,19 @@ }, "visualizationType": "lnsXY" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -155,8 +191,7 @@ }, "panelIndex": "19eb0a1a-2960-4826-91ea-a8711065cb25", "title": "Distribution of Findings by Severity [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -170,7 +205,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1dae6ff8-1a46-42dc-8e3c-7c6f597f71d2": { "columnOrder": [ @@ -206,9 +241,21 @@ "layerType": "data" } }, - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" }, - "enhancements": {} + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -219,8 +266,7 @@ }, "panelIndex": "f19fbe19-a0b6-4087-8a2f-2958445284db", "title": "Total Findings Count [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -234,7 +280,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "88835441-4a5d-4649-9749-cd763eb4f724": { "columnOrder": [ @@ -326,9 +372,21 @@ "metricAccessor": "85005515-84ae-44fc-85cc-e77cef81d715" } }, - "visualizationType": "lnsMetricNew" + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } }, - "enhancements": {} + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -339,12 +397,15 @@ }, "panelIndex": "f2c0402b-207d-4224-b880-eef8a291794b", "title": "Total Findings Count Based on Severity [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "savedVis": { "data": { "aggs": [], @@ -359,9 +420,10 @@ "description": "", "params": { "fontSize": 13, - "markdown": "[Inspector Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ", + "markdown": "[Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | **Inspector Severity Dashboard** | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ", "openLinksInNewTab": true }, + "title": "", "type": "markdown", "uiState": {} } @@ -375,19 +437,16 @@ }, "panelIndex": "a9c4fbfa-ee9c-42ee-8dcb-40e44e3207ea", "title": "Dashboards [Logs Inspector]", - "type": "visualization", - "version": "8.4.0" + "type": "visualization" } ], "timeRestore": false, "title": "[Logs AWS] Inspector Severity", - "version": 1 + "version": 3 }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-06-24T13:48:21.048Z", "id": "aws-60881ab0-63e0-11ed-be08-4b4db5223139", - "migrationVersion": { - "dashboard": "8.4.0" - }, "references": [ { "id": "logs-*", @@ -413,7 +472,13 @@ "id": "logs-*", "name": "controlGroup_971955cf-ae41-4e9f-b609-63362a1fc426:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/aws/kibana/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139.json b/packages/aws/kibana/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139.json index 95f97a8babe..30f1f51e36a 100644 --- a/packages/aws/kibana/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139.json +++ b/packages/aws/kibana/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139.json @@ -3,11 +3,34 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"1aecf3ba-3e1b-44dd-b81c-7d8a0206a0a7\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"aws.inspector.severity\",\"title\":\"AWS Inspector Findings Severity\",\"id\":\"1aecf3ba-3e1b-44dd-b81c-7d8a0206a0a7\",\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "1aecf3ba-3e1b-44dd-b81c-7d8a0206a0a7": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "aws.inspector.severity", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "AWS Inspector Findings Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "large" + } + }, + "showApplySelections": false }, "description": "Overview of AWS Inspector EC2 and ECR logs.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -42,6 +65,7 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, "syncTooltips": false, "useMargins": true }, @@ -58,7 +82,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b2cd46b9-b4fd-4940-9d35-567844a01b5f": { "columnOrder": [ @@ -130,7 +154,19 @@ }, "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -141,8 +177,7 @@ }, "panelIndex": "51d94661-24f5-47be-b7fc-dd3fdc9f08ef", "title": "Top 10 EC2 Instances ARN with Highest Inspector Score [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -161,7 +196,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1c04a2bf-b8c8-4e7f-a3c4-587a41a23ab5": { "columnOrder": [ @@ -282,7 +317,41 @@ }, "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "key": "aws.inspector.severity", + "negate": false, + "params": { + "query": "CRITICAL" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "aws.inspector.severity": "CRITICAL" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -293,8 +362,7 @@ }, "panelIndex": "b05740f5-92dc-4b79-a77f-ded634bf1e95", "title": "ECR Repositories with Most Critical Findings [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { @@ -313,7 +381,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b15502e7-1811-4354-bcb0-1ab7116c85dd": { "columnOrder": [ @@ -487,7 +555,41 @@ }, "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "key": "aws.inspector.severity", + "negate": false, + "params": { + "query": "CRITICAL" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "aws.inspector.severity": "CRITICAL" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -498,12 +600,16 @@ }, "panelIndex": "53b2e8c1-11e8-482f-b0e6-3d1c77cfe83a", "title": "ECR Container Images with Most Critical Findings [Logs Inspector]", - "type": "lens", - "version": "8.4.0" + "type": "lens" }, { "embeddableConfig": { - "enhancements": {} + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } }, "gridData": { "h": 15, @@ -514,12 +620,17 @@ }, "panelIndex": "84425027-b170-4b3f-951d-3e7b11336b64", "panelRefName": "panel_84425027-b170-4b3f-951d-3e7b11336b64", - "type": "search", - "version": "8.4.0" + "title": "Findings Resource Essential Details [Logs Inspector]", + "type": "search" }, { "embeddableConfig": { - "enhancements": {} + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } }, "gridData": { "h": 16, @@ -530,12 +641,16 @@ }, "panelIndex": "a3d319b1-7214-43d9-a6a9-a61910734dc5", "panelRefName": "panel_a3d319b1-7214-43d9-a6a9-a61910734dc5", - "type": "search", - "version": "8.4.0" + "title": "Findings AWS EC2 Instance Essential Details [Logs Inspector]", + "type": "search" }, { "embeddableConfig": { - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "savedVis": { "data": { "aggs": [], @@ -550,9 +665,10 @@ "description": "", "params": { "fontSize": 13, - "markdown": "[Inspector Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ", + "markdown": "[Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | **Inspector EC2 and ECR Overview Dashboard**", "openLinksInNewTab": true }, + "title": "", "type": "markdown", "uiState": {} } @@ -566,25 +682,32 @@ }, "panelIndex": "bee46158-c3a2-4295-9dbd-e008d057af6c", "title": "Dashboards [Logs Inspector]", - "type": "visualization", - "version": "8.4.0" + "type": "visualization" } ], "timeRestore": false, "title": "[Logs AWS] Inspector EC2 and ECR Overview", - "version": 1 + "version": 3 }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-06-24T13:48:21.048Z", "id": "aws-63984b70-63e1-11ed-be08-4b4db5223139", - "migrationVersion": { - "dashboard": "8.4.0" - }, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, + { + "id": "aws-839e3db0-5a51-11ed-a807-bd2da8f2e79b", + "name": "84425027-b170-4b3f-951d-3e7b11336b64:panel_84425027-b170-4b3f-951d-3e7b11336b64", + "type": "search" + }, + { + "id": "aws-47d3ed50-5a53-11ed-a807-bd2da8f2e79b", + "name": "a3d319b1-7214-43d9-a6a9-a61910734dc5:panel_a3d319b1-7214-43d9-a6a9-a61910734dc5", + "type": "search" + }, { "id": "logs-*", "name": "51d94661-24f5-47be-b7fc-dd3fdc9f08ef:indexpattern-datasource-layer-b2cd46b9-b4fd-4940-9d35-567844a01b5f", @@ -611,20 +734,16 @@ "type": "index-pattern" }, { - "id": "aws-839e3db0-5a51-11ed-a807-bd2da8f2e79b", - "name": "84425027-b170-4b3f-951d-3e7b11336b64:panel_84425027-b170-4b3f-951d-3e7b11336b64", - "type": "search" - }, - { - "id": "aws-47d3ed50-5a53-11ed-a807-bd2da8f2e79b", - "name": "a3d319b1-7214-43d9-a6a9-a61910734dc5:panel_a3d319b1-7214-43d9-a6a9-a61910734dc5", - "type": "search" + "id": "logs-*", + "name": "controlGroup_1aecf3ba-3e1b-44dd-b81c-7d8a0206a0a7:optionsListDataView", + "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_1aecf3ba-3e1b-44dd-b81c-7d8a0206a0a7:optionsListDataView", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/aws/kibana/search/aws-47d3ed50-5a53-11ed-a807-bd2da8f2e79b.json b/packages/aws/kibana/search/aws-47d3ed50-5a53-11ed-a807-bd2da8f2e79b.json index 1897d3b2587..969eaeeed19 100644 --- a/packages/aws/kibana/search/aws-47d3ed50-5a53-11ed-a807-bd2da8f2e79b.json +++ b/packages/aws/kibana/search/aws-47d3ed50-5a53-11ed-a807-bd2da8f2e79b.json @@ -51,11 +51,9 @@ ], "title": "Findings AWS EC2 Instance Essential Details [Logs Inspector]" }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-06-24T13:48:21.048Z", "id": "aws-47d3ed50-5a53-11ed-a807-bd2da8f2e79b", - "migrationVersion": { - "search": "8.0.0" - }, "references": [ { "id": "logs-*", @@ -68,5 +66,6 @@ "type": "index-pattern" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/aws/kibana/search/aws-839e3db0-5a51-11ed-a807-bd2da8f2e79b.json b/packages/aws/kibana/search/aws-839e3db0-5a51-11ed-a807-bd2da8f2e79b.json index d4620817d7a..8abecdf5f27 100644 --- a/packages/aws/kibana/search/aws-839e3db0-5a51-11ed-a807-bd2da8f2e79b.json +++ b/packages/aws/kibana/search/aws-839e3db0-5a51-11ed-a807-bd2da8f2e79b.json @@ -49,11 +49,9 @@ ], "title": "Findings Resource Essential Details [Logs Inspector]" }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-06-24T13:48:21.048Z", "id": "aws-839e3db0-5a51-11ed-a807-bd2da8f2e79b", - "migrationVersion": { - "search": "8.0.0" - }, "references": [ { "id": "logs-*", @@ -66,5 +64,6 @@ "type": "index-pattern" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/aws/kibana/search/aws-395fef40-5a52-11ed-a807-bd2da8f2e79b.json b/packages/aws/kibana/search/aws-b789513e-47bd-4d48-bc66-7713bebfc313.json similarity index 87% rename from packages/aws/kibana/search/aws-395fef40-5a52-11ed-a807-bd2da8f2e79b.json rename to packages/aws/kibana/search/aws-b789513e-47bd-4d48-bc66-7713bebfc313.json index e694e105a6b..eb21a39f60e 100644 --- a/packages/aws/kibana/search/aws-395fef40-5a52-11ed-a807-bd2da8f2e79b.json +++ b/packages/aws/kibana/search/aws-b789513e-47bd-4d48-bc66-7713bebfc313.json @@ -1,7 +1,7 @@ { "attributes": { "columns": [ - "aws.inspector.title", + "vulnerability.title", "aws.inspector.finding_arn", "aws.inspector.type", "aws.inspector.status" @@ -9,6 +9,7 @@ "description": "", "grid": {}, "hideChart": false, + "isTextBasedQuery": false, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -47,13 +48,12 @@ "desc" ] ], + "timeRestore": false, "title": "Findings Essential Details [Logs Inspector]" }, - "coreMigrationVersion": "8.4.0", - "id": "aws-395fef40-5a52-11ed-a807-bd2da8f2e79b", - "migrationVersion": { - "search": "8.0.0" - }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-06-24T13:48:21.048Z", + "id": "aws-b789513e-47bd-4d48-bc66-7713bebfc313", "references": [ { "id": "logs-*", @@ -66,5 +66,6 @@ "type": "index-pattern" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/aws/kibana/search/aws-dffd2200-5a52-11ed-a807-bd2da8f2e79b.json b/packages/aws/kibana/search/aws-dffd2200-5a52-11ed-a807-bd2da8f2e79b.json index 2fb7fc5fc9b..c875f7e484d 100644 --- a/packages/aws/kibana/search/aws-dffd2200-5a52-11ed-a807-bd2da8f2e79b.json +++ b/packages/aws/kibana/search/aws-dffd2200-5a52-11ed-a807-bd2da8f2e79b.json @@ -50,11 +50,9 @@ ], "title": "Findings Package Vulnerability Essential Details [Logs Inspector]" }, - "coreMigrationVersion": "8.4.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-06-24T13:48:21.048Z", "id": "aws-dffd2200-5a52-11ed-a807-bd2da8f2e79b", - "migrationVersion": { - "search": "8.0.0" - }, "references": [ { "id": "logs-*", @@ -65,7 +63,18 @@ "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-aws-security-solution-default", + "type": "tag" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/aws/kibana/tag/aws-security-solution-default.json b/packages/aws/kibana/tag/aws-security-solution-default.json index 4b7620ded40..82bd27f7af0 100644 --- a/packages/aws/kibana/tag/aws-security-solution-default.json +++ b/packages/aws/kibana/tag/aws-security-solution-default.json @@ -1,13 +1,12 @@ { "attributes": { - "color": "#D36086", - "description": "", + "color": "#00BFB3", + "description": "Tag defined in package-spec", "name": "Security Solution" }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-09-10T10:47:15.483Z", + "created_at": "2025-06-24T13:39:33.510Z", "id": "aws-security-solution-default", - "managed": true, "references": [], "type": "tag", "typeMigrationVersion": "8.0.0" diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index 0cfb1f3e99d..6e7d442dab1 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.2 name: aws title: AWS -version: 3.11.0 +version: 3.12.0 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: @@ -792,8 +792,16 @@ policy_templates: size: 33x39 type: image/svg+xml - name: inspector - title: AWS Inspector - description: Collect AWS Inspector Logs with Elastic Agent. + title: Amazon Inspector + description: Collect Amazon Inspector Logs with Elastic Agent. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: security + division: engineering + team: security-service-integrations data_streams: - inspector categories: @@ -801,16 +809,28 @@ policy_templates: - cloudsecurity_cdr inputs: - type: httpjson - title: Collect AWS Inspector logs via API - description: Collecting AWS Inspector logs via API. + title: Collect Amazon Inspector logs via API + description: Collecting Amazon Inspector logs via API. screenshots: - - src: /img/inspector-screenshot.png - title: Inspector dashboard screenshot + - src: /img/inspector-findings-overview-dashboard.png + title: Inspector Findings Overview dashboard + size: 600x600 + type: image/png + - src: /img/inspector-severity-dashboard.png + title: Inspector Severity dashboard + size: 600x600 + type: image/png + - src: /img/inspector-vulnerabilities-dashboard.png + title: Inspector Vulnerabilities dashboard + size: 600x600 + type: image/png + - src: /img/inspector-ec2-ecr-overview-dashboard.png + title: Inspector EC2 & ECR Overview dashboard size: 600x600 type: image/png icons: - src: /img/logo_inspector.svg - title: AWS Inspector logo + title: Amazon Inspector logo size: 33x39 type: image/svg+xml - name: guardduty