AWX Vulnerabilities (CVEs) for nginx packages in awx 15.0.0 and up

[kcurtisfl]

I am curious if AWX is dependent in some way on nginx 1.14 and in particular the dependent nginx modules.

I can see that in ver 15.0.0, that nginx 1.14 is installed, along with these modules,

nginx:1:1.14.1-9.module_el8.0.0+184+e34fea82      RHSA-2019:2799

nginx-all-modules:1:1.14.1-9.module_el8.0.0+184+e34fea82 RHSA-2019:2799

nginx-filesystem:1:1.14.1-9.module_el8.0.0+184+e34fea82.    RHSA-2019:2799

nginx-mod-http-image-filter:1:1.14.1-9.module_el8.0.0+184+e34fea82 RHSA-2019:2799

nginx-mod-http-perl:1:1.14.1-9.module_el8.0.0+184+e34fea82 RHSA-2019:2799

nginx-mod-http-xslt-filter:1:1.14.1-9.module_el8.0.0+184+e34fea82  RHSA-2019:2799

nginx-mod-mail:1:1.14.1-9.module_el8.0.0+184+e34fea82. RHSA-2019:2799

nginx-mod-stream:1:1.14.1-9.module_el8.0.0+184+e34fea82   RHSA-2019:2799

All of these cve issues are resolved in nginx 1.18, and in the image build (in the awx project)  I did notice that awx is just doing an dnf -y install nginx, so are these extra 'mod' nginx packages just installed by default?

I guess the real answer is, is there some specific reason why awx continues to stay on nginx 1.14 with the known cve's, and not use nginx 1.18.   I'm testing this on my own, but was just curious if anyone had looked at this.

[Ankit Vashistha]

Hello,

That is because 1.14 is the latest version available in the repository. If you run dnf search nginx --showduplicates you would be able to see the available versions to choose from. By default it installs the latest version available in the repos. Thanks for the heads up about the vulnerability. In order to get the latest version of a higher version than 1.14, i believe we can do this using nginx repo: Install | NGINX. Can you please let me also know about your findings post using nginx repo.

Regards,

Ankit

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/23a93cbb-4664-4484-9220-d624c4eb5d81n%40googlegroups.com.

[kcurtisfl]

Yes I will.   I am testing with nginx 1.18 right now.

[michae...@gmail.com]

Was there any further work or result from this investigation?    Is there any plans to upgrade the nginx inside awx containers to a version greater than 1.14?

[kcurtisfl]

So It turns out the 1.14 is NOT the latest version in the repository, its simply the one that is enabled. So, here are the steps that I took in the Dockerfile. Essentially you can make your own dockerfile with the first line "FROM" being the public image. These steps added to it, remove nginx and replace it with 1.20, which squashes about 30 cves.

RUN dnf -y remove nginx
# Nginx 1.20 handling

RUN yum -y module reset nginx && yum -y module enable nginx:1.20 && \ yum -y install nginx && yum -y install nginx-all-modules