Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
localstack docker images include high severity vulnerable software and do not pass security scan
Expected Behavior
localstack docker images must include security verified software, safe to run.
How are you starting LocalStack?
With a docker run command
Steps To Reproduce
How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)
docker run localstack/localstack
Environment
- OS: any
- LocalStack:
LocalStack Docker image sha: sha256:e46c7f7c7b774b7ed57d9d86a9d2d00a66a63f4d2e1f33dea3e13b92e33657bc
LocalStack version: 4.0.4.dev26
LocalStack build date: 2024-12-10
LocalStack build git hash: 37a56a501Anything else?
Localstack docker image available at docker hub includes high severity vulnerabilities.
Besides the dynamodb_local vulnerabilities already covered in #11615 there are others specific to localstack
/usr/local/lib/node_modules/npm/node_modules/cross-spawn CVE-2024-21538 severity 7.5 high
/usr/lib/localstack/lambda-runtime/v0.1.30-pre/x86_64/var/rapid/init CVE-2023-45288 7.5 high
/opt/code/localstack/.venv/lib/python3.11/site-packages/amazon_kclpy/jars/logback-core-1.3.12.jar CVE-2023-6481 severity 7.5 high
/opt/code/localstack/.venv/lib/python3.11/site-packages/amazon_kclpy/jars/netty-common-4.1.108.Final.jar CVE-2024-47535 severity 5.5 medium
Also a Python specific vulnerability
/opt/code/localstack/.venv/lib/python3.11/site-packages/cryptography
GHSA-h4gh-qq45-vh27
package version 42.0.8 fixed in version 43.0.1
Also including sensitive data / private keys, which should possibly be generated locally rather than distributed
/opt/code/localstack/localstack-core/localstack/aws/accounts.py [type:"AWS ACCESS KEY"]
/opt/code/localstack/.venv/lib/python3.11/site-packages/moto/moto_proxy/ca.key [type:"PRIVATE KEY"]
/opt/code/localstack/.venv/lib/python3.11/site-packages/moto/moto_proxy/cert.key [type:"PRIVATE KEY"]
Cheers
Gianluca Bonetti