RStudio Workbench CVEs

[securian-bpmcd]

The below CVEs affect Go 1.19. These were found by our Prisma Cloud Scan tool while scanning the current (12/27/2023) "rstudio/r-session-complete:jammy-2023.03.2" image.

CVE-2023-39323 Go
CVE-2023-29405 Go
CVE-2023-29404 Go
CVE-2023-29402 Go
CVE-2023-24540 Go
CVE-2023-24538 Go

[bschwedler]

@securian-bpmcd Thank you for reporting these!

Do you still see these vulnerabilities in the latest image?

rstudio/r-session-complete:ubuntu2204-2024.09.0

[securian-bpmcd]

@bschwedler We're using RStudio on SageMaker and the most recent version that we can use to match the AWS environment is 2024.04.2

[securian-bpmcd]

The 2024.04.2 image scan reports the following CVEs:
CVE-2024-24790
CVE-2023-24540
CVE-2023-24538

[bschwedler]

Ah, thanks for the added detail on where you are seeing this.
AWS builds and deploys the container image running in SageMaker. It starts from the public container images defined in this repository and AWS further customizes the Workbench image to add the functionality required for SageMaker.

---

I also want to add a little more detail around patching and rebuilding previous versions of the container images.

We are currently routinely rebuilding the most recent version of the container images to pick up OS and package security updates.

The current repository structure makes it difficult to use the same rebuild process for previous container versions. We are working to improve the workflows as well as the visibility of our internal scan results.