AWS Security hub flagged Releem Agent

[drupaladmin]

AWS Security hub flagged that the Releem services: ReleemAgentService (2) have public IPs associated with each task that is launched in the service. There is no risk of external access as the security group attached to the ENIs only permit traffic from within the VPC. Unless there is a need for a public IP on this service, it is recommended to remove it. Can you confirm if we require a public IP to be associated with the releem instance or can we remove this to address the security hub warning?

[drupaladmin]

The agent doesn't require a public IP address. But it needs to access the Internet. Access to the agent from the Internet is not required because the agent does not listen any port.

We have added a CloudFormation template without assigning a public address.
Before updating, you need to create, if it does not exist, a VPC with a private subnet and NAT. You can find the guide at the following links:

• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-example-private-subnets-nat.html
• https://repost.aws/knowledge-center/nat-gateway-vpc-private-subnet

To update the agent, please use the following steps:

1. Select CloudFormation Stack - releem-agent, click the Update button
2. Select “Replace existing template”
3. Paste in “Amazon S3 URL” url https://releem.s3.us-east-1.amazonaws.com/test/releem-agent-cloudformation-private.yml
   and click “Next”
4. Change the “SecurityGroupIDs” and “SubnetIDs” options, specifying the private subnet with NAT that provides Internet access and click “Next”
5. Click “Next” and “Submit”

[kochetovd]

Hi, did update the template and upgraded to latest version 1.21.4.1. Still facing the issue.

Confirmed we are using only private subnets

[kochetovd]

Scanning of Docker image version 1.21.4.1 found critical and high severity vulnerabilities.

The vulnerabilities were found in the golang/stdlib in the releem-agent and envsubst packages. However, Releem Agent does not use any of the affected functions from these libraries, so they do not pose any actual risk.
All packages have been updated to their latest available versions, resolving the vast majority of flagged CVEs. 6f15717

A rescan of the Docker image version 1.21.5 found a critical and high severity vulnerability only in the envsubst package.

Some CVEs remain in the latest version of the third-party utility envsubst, which is used by Releem Agent. These remaining issues do not affect the security or operation of the Releem Agent. Nonetheless, we’ve taken additional steps to ensure transparency and long-term mitigation:
• We’ve created an issue in the official envsubst repository: a8m/envsubst#68
• We’re also considering removing envsubst from the Releem Agent altogether, to eliminate any unnecessary exposure.