AWX Vulnerabilities on packages

Hello Folks,

I am trying to install AWX from Dockerhub in the company that I work for and we need to follow a process of vulnerability scan before we can import the docker images on the company. The reports of the scan show a lot of high risk vulnerabilities and the company does not want to import the images (see report attached). Anyways I have 2 questions:

• Do you know if Ansible Tower version use the same packages and therefore has the same vulnerabilities?
• Is it possible to correct all the high/critical/important vulnerabilities in the reports?
  Thanks a lot!

We’ll clear out some base images and re-spin the images… these are just coming from the centos7 base images that we used to build them.

Alternatively you should be able to spin these yourself and pick up the new centos:7 base that will pass a security scan if you don’t feel like waiting on us.

Hello, thanks for your help!

We have been able to rebuild the base images with the more important vulnerabilities fixed and install it.

The vulnerabilities fixed were:

Package

|

Version

|

Reason

|

Remediation

|

• | - | - | - |
  
  
  Python-paramiko
  
  |
  
  2.1.1-4.el7
  
  |
  
  Authentication Bypass
  
  |
  
  Upgrade paramiko to versions 1.17.6, 1.18.5, 2.0.8, 2.1.5, 2.2.3, 2.3.2, 2.4.1 or higher.
  
  |
  
  
  mercurial
  
  |
  
  2.6.2
  
  |
  
  Arbitrary Code Execution
  
  |
  
  Upgrade mercurial to version 4.1.3 or higher.
  
  |

I have uploaded the images here: https://hub.docker.com/u/maragunde/

The Dockerfile used was:

FROM maragunde/awx_task

USER root

RUN yum remove python-paramiko -y

RUN pip install --upgrade pip

RUN pip install paramiko==2.4.1

RUN pip install ansible==2.7.2

RUN pip uninstall pycrypto -y

RUN pip install pycryptodome==3.7.2

RUN yum install https://www.mercurial-scm.org/release/centos7/RPMS/x86_64/mercurial-4.6.1-1.x86_64.rpm -y

USER 1001

Thanks!