How should we address any new AWX vulnerabilities discovered after version 24.6?
According to these posts, no new release date has been announced yet for either the AWX operator or AWX. If we are already on the latest AWX version (24.6) and encounter new vulnerabilities, what would be the best approach to address these security issues?
IMO, the basic idea is to rebuild the container image by yourself.
In order to address vulnerabilities, of course it is not easy to modify the source code or upgrade the Operator SDK version for everyone.
However, if it’s just a simple customization, like wanting to run dnf update or to replace existing files, you can create a new image with a simple Dockerfile like the following.
For AWX:
FROM quay.io/ansible/awx:24.6.0
USER root
RUN dnf update --security --bugfix -y
USER 1000
For AWX Operator:
FROM quay.io/ansible/awx-operator:2.19.1
USER root
RUN dnf update --security --bugfix -y
USER 1001
Thanks for the reply. How do we mitigate vulnerability like the Django version used in AWX?
If upgrading modules is all that is needed, you can address it with a Dockerfile like the following.
FROM quay.io/ansible/awx:24.6.0
USER root
RUN dnf update --security --bugfix -y
RUN /var/lib/awx/venv/awx/bin/pip install -U django==4.2.18
USER 1000
However, since the version of Django is closely related to ansible-django-base, which AWX depends on, simply upgrading only the Django module may have side effects or cause AWX to stop working.
Please note that I have not tested this Dockerfile at all. I cannot guarantee the results.
Thanks for your well explained suggestion. That is just one of the vulnerabilities on our remediation list. This is why I’m asking about the safest approach to address AWX vulnerabilities discovered after version 24.6.