📝

Amazon Inspector 脆弱性データベースを AWS CLI で使ってみた

2025/01/23に公開

Searching the Amazon Inspector vulnerability database - Amazon Inspector

Run the Amazon Inspector SearchVulnerabilities API, and provide a single CVE ID as filterCriteria in the following format: CVE-<year>-<ID>.

上記を試してみました。
AWS CLI の実行環境は CloudShell です。

試してみた

search-vulnerabilities — AWS CLI 2.23.3 Command Reference
AWS CLI の場合は search-vulnerabilities コマンドを使用します。

$ aws inspector2 search-vulnerabilities \
--filter-criteria vulnerabilityIds=CVE-2021-44228
レスポンス
{
  "vulnerabilities": [
    {
      "atigData": {
        "firstSeen": "2021-12-14T00:00:00+00:00",
        "lastSeen": "2023-03-06T00:00:00+00:00",
        "targets": [
          "Accommodation",
          "Administrative Services",
          "Aviation",
          "Chemical Manufacturing",
          "Construction",
          "Defense",
          "Education",
          "Finance and Insurance",
          "Government",
          "Health Care",
          "Information Technology",
          "Manufacturing",
          "Media",
          "Military",
          "Non-Government Organization",
          "Oil and Gas",
          "Professional Services",
          "Telecommunications",
          "Transportation"
        ],
        "ttps": [
          "T1005",
          "T1008",
          "T1012",
          "T1016",
          "T1021",
          "T1021.004",
          "T1041",
          "T1046",
          "T1047",
          "T1048.003",
          "T1049",
          "T1057",
          "T1059.001",
          "T1059.003",
          "T1070.004",
          "T1071.001",
          "T1082",
          "T1083",
          "T1087",
          "T1087.004",
          "T1090",
          "T1090.003",
          "T1090.004",
          "T1102",
          "T1102.001",
          "T1105",
          "T1110.003",
          "T1112",
          "T1113",
          "T1132.001",
          "T1140",
          "T1190",
          "T1202",
          "T1204.001",
          "T1204.002",
          "T1518",
          "T1563.001",
          "T1571",
          "T1573.001",
          "T1583.001",
          "T1583.003",
          "T1585.001",
          "T1585.002",
          "T1587.004",
          "T1588",
          "T1588.001",
          "T1588.002",
          "T1588.005",
          "T1590",
          "T1590.001",
          "T1590.002",
          "T1590.004",
          "T1592.002",
          "T1592.004",
          "T1593.002",
          "T1595.001",
          "T1595.002",
          "T1598.003",
          "T1608.002"
        ]
      },
      "cisaData": {
        "action": "For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.",
        "dateAdded": "2021-12-10T00:00:00+00:00",
        "dateDue": "2021-12-24T00:00:00+00:00"
      },
      "cvss3": {
        "baseScore": 10.0,
        "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
      },
      "cwes": ["CWE-400", "CWE-502", "CWE-20", "CWE-917"],
      "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
      "detectionPlatforms": [
        "DEBIAN_10",
        "DEBIAN_11",
        "DEBIAN_9",
        "DEBIAN_12",
        "DEBIAN_SID",
        "JAVA",
        "RUBY",
        "OPEN_SUSE_15_2",
        "OPEN_SUSE_15_3",
        "CENTOS_7",
        "UBUNTU_21_10",
        "UBUNTU_18_04",
        "UBUNTU_21_04",
        "UBUNTU_20_04",
        "UBUNTU_16_04",
        "AMAZON_LINUX_2",
        "SUSE_SERVER_15_6",
        "AMAZON_LINUX_2022",
        "AMAZON_LINUX",
        "FEDORA_34"
      ],
      "epss": {
        "score": 0.97232
      },
      "id": "CVE-2021-44228",
      "referenceUrls": [
        "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html",
        "https://support.apple.com/kb/HT213189",
        "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
        "https://logging.apache.org/log4j/2.x/security.html",
        "https://www.debian.org/security/2021/dsa-5020",
        "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
        "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html",
        "https://www.oracle.com/security-alerts/cpujan2022.html",
        "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf",
        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/",
        "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf",
        "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf",
        "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/",
        "https://www.oracle.com/security-alerts/cpuapr2022.html",
        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
        "https://twitter.com/kurtseifried/status/1469345530182455296",
        "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html",
        "https://www.kb.cert.org/vuls/id/930724"
      ],
      "relatedVulnerabilities": [],
      "source": "NVD",
      "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
      "vendorCreatedAt": "2021-12-10T10:15:09+00:00",
      "vendorSeverity": "CRITICAL",
      "vendorUpdatedAt": "2024-11-21T06:30:38+00:00"
    }
  ]
}

jq で検索結果を限定

  • description
$ aws inspector2 search-vulnerabilities \
--filter-criteria vulnerabilityIds=CVE-2021-44228 | jq -r .vulnerabilities[0].description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
  • sourceUrl
$ aws inspector2 search-vulnerabilities \
--filter-criteria vulnerabilityIds=CVE-2021-44228 | jq -r .vulnerabilities[0].sourceUrl

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  • vendorSeverity
$ aws inspector2 search-vulnerabilities \
--filter-criteria vulnerabilityIds=CVE-2021-44228 | jq -r .vulnerabilities[0].vendorSeverity

CRITICAL

補足

コンソールで使用する方法については以下のブログをご参照ください。
[アップデート] Amazon Inspector の脆弱性データベースから特定の CVE 情報を検索出来るようになりました | DevelopersIO

SearchVulnerabilities API の仕様については以下のドキュメントをご参照ください。
SearchVulnerabilities - Inspector

本ブログ執筆時点では脆弱性データベースは Windows に対応していません。

Currently, CVE search doesn't support Microsoft Windows.

まとめ

今回は Amazon Inspector 脆弱性データベースを AWS CLI で使ってみました。
どなたかの参考になれば幸いです。

参考資料

Discussion