We have 1 ec2 instance running Ubuntu20.04 LTS. We are running dokcer containers in it. Qualys detected following vulnerability: “Node.Js Foundation Node.js Multiple Vulnerabilities (Node v20.11.1,Node v21.6.2, Node v18.19.1)”.
Related CVES are: CVE-2024-21891,CVE-2024-22019,CVE-2024-21890,CVE-2024-21892,CVE-2023-46809,CVE-2024-21896,CVE-2024-22025,CVE-2024-22017
The category “Tips & HowTos” is meant to be used if you share tips & HowTos you authored youself. It is not for asking questions. I moved your post to the “General Discussions” category.
Furthermore, you are using a snap docker package, which is maintained and supported by Canonical.
Patch management with containers is done by replacing containers with containers based on images that already include a fix for the vulnerability.
Please find snap list & refresh output. It’s already updated. How can we fix the issue detected by qualys in snap location /var/snap/docker/common/var-lib-docker/overlay2/l/AUEWL7ZTSH2IAY5JMTMLSX7LEA/usr/local/bin/node js/v18.0.0?
ubuntu@ip-10-42-8-32:~$ snap list
Name Version Rev Tracking Publisher Notes
amazon-ssm-agent 3.3.131.0 7993 latest/stable/… aws✓ classic
core18 20240612 2829 latest/stable canonical✓ base
core20 20240416 2318 latest/stable canonical✓ base
core22 20240408 1380 latest/stable canonical✓ base
docker 24.0.5 2915 latest/stable canonical✓ -
lxd 4.0.10-e664786 29619 4.0/stable/… canonical✓ -
snapd 2.63 21759 latest/stable canonical✓ snapd
ubuntu@ip-10-42-8-32:~$ snap refresh --list
All snaps up to date.
Just out of curiosity: what part of my last post made you think that I want to see anything about snap? Snap itself, and the snap docker package is maintained by Canonical and supported by whatever support channel Canonical has for snap and the snap docker package.
Regardless of what docker distribution you use: the problem and solution is not related to the docker distribution.
Just to be clear: when I wrote “containers” I refer to OCI containers, such as those that you run on Docker. Please ask the people that created the containers, to replace those containers with new containers that base on a new (OCI) image tag that already includes the fix.
I assume we are not getting on the same page. I can’t help you if your responses ignore what I write. If you don’T understand parts, then quote those parts and underneath write in your own words what you understood.
May I suggest following links learn the basics and concepts:
We simply don’t patch running containers, as containers are supposed to be ephemeral runtime instances of images.
You need to find versions of the imaged that already include the fixes and re-deploy the containers using those images. If those are custom images made in your company, ask the people who created the images to publish new images based on base images that already include the fix.
If you have no control of the image: get in touch with the people that do, and make them create an image where all fixable vulnerabilities are fixed. You will want to ask them to migrate from Node 18 to at least node 20, or better 22. Node 18 will stop receiving security updates in roughly 9 months (See: Node.js | endoflife.date)