Skip to content

Commit 44115f1

Browse files
VenkatasivareddyTRchngpe
VenkatasivareddyTR
authored and
chngpe
committed
1 parent dec183c commit 44115f1

File tree

2 files changed

+52
-2
lines changed

2 files changed

+52
-2
lines changed

athena-dynamodb/Dockerfile

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,26 @@
1-
# Argument for Java version, defaulting to 11
1+
# Argument for Java version, defaulting to 11 (must be before first FROM)
22
ARG JAVA_VERSION=11
3-
# Use the specified version of Java
3+
4+
# Build stage - compile updated aws-lambda-rie to fix CVE-2025-58186
5+
FROM golang:1.24-alpine AS rie-builder
6+
RUN apk add --no-cache git gcc musl-dev && \
7+
git clone --depth 1 https://github.com/aws/aws-lambda-runtime-interface-emulator.git /src && \
8+
cd /src && \
9+
go build -ldflags="-s -w" -o /aws-lambda-rie ./cmd/aws-lambda-rie
10+
11+
# Runtime stage - use the specified version of Java
412
FROM public.ecr.aws/lambda/java:${JAVA_VERSION}
513

14+
# Replace the vulnerable aws-lambda-rie binary with the patched version (CVE-2025-58186 fix)
15+
COPY --from=rie-builder /aws-lambda-rie /usr/local/bin/aws-lambda-rie
16+
17+
# Update critical packages to fix CVE-2025-8058
18+
# Vulnerable packages: glibc, glibc-all-langpacks, glibc-common, glibc-minimal-langpack, libcrypt. (minimal approach - only update what's necessary)
19+
RUN yum update-minimal -y --setopt=tsflags=nodocs glibc glibc-common glibc-minimal-langpack libcrypt curl libcurl && \
20+
yum autoremove -y && \
21+
yum clean all && \
22+
rm -rf /var/cache/yum /var/lib/yum/yumdb/* /tmp/* /var/tmp/*
23+
624
# Argument for Java tool options, defaulting to an empty string
725
ARG JAVA_TOOL_OPTIONS=""
826
# Set the JAVA_TOOL_OPTIONS environment variable for Java 17

pom.xml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,32 @@
9494
<artifactId>commons-lang3</artifactId>
9595
<version>3.19.0</version>
9696
</dependency>
97+
<!-- Fix for CVE-2025-24970, CVE-2025-58056, CVE-2025-58057 and CVE-2025-55163: Override Netty version from transitive dependencies -->
98+
<dependency>
99+
<groupId>io.netty</groupId>
100+
<artifactId>netty-bom</artifactId>
101+
<version>4.2.5.Final</version>
102+
<type>pom</type>
103+
<scope>import</scope>
104+
</dependency>
105+
<!-- Fix for CVE-2025-27820: Override httpclient5 version from AWS SDK transitive dependencies -->
106+
<dependency>
107+
<groupId>org.apache.httpcomponents.client5</groupId>
108+
<artifactId>httpclient5</artifactId>
109+
<version>5.4.3</version>
110+
</dependency>
111+
<!-- Fix for CVE-2024-57699: Override json-smart version from transitive dependencies -->
112+
<dependency>
113+
<groupId>net.minidev</groupId>
114+
<artifactId>json-smart</artifactId>
115+
<version>2.5.2</version>
116+
</dependency>
117+
<!-- Fix for CVE-2020-15250: Override junit version from transitive dependencies -->
118+
<dependency>
119+
<groupId>junit</groupId>
120+
<artifactId>junit</artifactId>
121+
<version>${junit.version}</version>
122+
</dependency>
97123
</dependencies>
98124
</dependencyManagement>
99125
<organization>
@@ -337,6 +363,12 @@
337363
<!-- 4. commons-text declares commons-lang3 3.13.0 (< 3.18.0) -->
338364
<exclude>META-INF/maven/org.apache.commons/commons-text/pom.xml</exclude>
339365
<exclude>META-INF/maven/org.apache.commons/commons-text/pom.properties</exclude>
366+
<!-- 5. Fix for CVE-2020-15250: json-simple declares old junit -->
367+
<exclude>META-INF/maven/com.googlecode.json-simple/json-simple/pom.xml</exclude>
368+
<exclude>META-INF/maven/com.googlecode.json-simple/json-simple/pom.properties</exclude>
369+
<!-- 6. Exclude old junit POM metadata directly -->
370+
<exclude>META-INF/maven/junit/junit/pom.xml</exclude>
371+
<exclude>META-INF/maven/junit/junit/pom.properties</exclude>
340372
</excludes>
341373
</filter>
342374
</filters>

0 commit comments

Comments
 (0)