fix: remove pip from Lambda GPU runtime images to eliminate bundled CVEs

junpuf · junpuf · commit 8c1571babfb1 · 2026-03-12T11:06:12.000-07:00
Install awslambdaric via uv instead of inheriting it from the Lambda base image. Copy only Python binary/stdlib/lib from lambda-python stage, drop site-packages entirely, and install all deps (including awslambdaric==3.1.1 and pip==25.3) via uv so we own the full dependency tree. Remove pip after OSS compliance step runs. This eliminates the three pip-bundled CVEs that could not be patched via requirements pinning: - CVE-2024-6345 (setuptools RCE via pip/_vendor/pkg_resources) - CVE-2025-47273 (setuptools path traversal via pip/_vendor/pkg_resources) - CVE-2026-21441 (urllib3 decompression bomb via pip/_vendor/urllib3==1.26.20) Allowlist reduced from 14 to 11 entries. Signed-off-by: Junpu Fan <junpu@amazon.com>
diff --git a/docker/lambda/Dockerfile b/docker/lambda/Dockerfile
@@ -1,8 +1,9 @@
 # ============================================================
 # Lambda Python sources
-# These images include the Lambda Runtime Interface Client (RIC)
-# pre-installed in /var/lang, so no explicit awslambdaric install
-# is needed in downstream runtime stages.
+# We take only the Python binary, stdlib, and lib-dynload.
+# Site-packages are intentionally excluded — all dependencies
+# (including awslambdaric) are installed via uv so we own the
+# full dependency tree with no Lambda-bundled extras.
 # ============================================================
 FROM public.ecr.aws/lambda/python:3.13 as lambda-python
 
@@ -58,19 +59,25 @@ RUN dnf install -y --setopt=install_weak_deps=False \
   && cd /tmp && rm -rf ffmpeg-6.1
 
 # ============================================================
-# Base builder (Python 3.13 — requests, pip-licenses for OSS compliance)
+# Base builder (Python 3.13 — awslambdaric, requests, pip-licenses)
 # ============================================================
 FROM builder-base as builder-base-py3
-COPY --from=lambda-python /var/lang /var/lang
+COPY --from=lambda-python /var/lang/bin /var/lang/bin
+COPY --from=lambda-python /var/lang/include /var/lang/include
+COPY --from=lambda-python /var/lang/lib /var/lang/lib
+RUN rm -rf /var/lang/lib/python3.13/site-packages
 ENV PATH="/var/lang/bin:$PATH"
 COPY ./docker/lambda/requirements-base.txt /tmp/requirements.txt
 RUN --mount=type=cache,target=/root/.cache/uv uv pip install --python /var/lang/bin/python3.13 -r /tmp/requirements.txt
 
 # ============================================================
-# CuPy builder (Python 3.13 — CuPy, NumPy, SciPy, etc.)
+# CuPy builder (Python 3.13 — awslambdaric, CuPy, NumPy, SciPy, etc.)
 # ============================================================
 FROM builder-base as builder-cupy-py3
-COPY --from=lambda-python /var/lang /var/lang
+COPY --from=lambda-python /var/lang/bin /var/lang/bin
+COPY --from=lambda-python /var/lang/include /var/lang/include
+COPY --from=lambda-python /var/lang/lib /var/lang/lib
+RUN rm -rf /var/lang/lib/python3.13/site-packages
 ENV PATH="/var/lang/bin:$PATH"
 COPY ./docker/lambda/requirements-cupy.txt /tmp/requirements.txt
 RUN --mount=type=cache,target=/root/.cache/uv \
@@ -81,10 +88,13 @@ RUN --mount=type=cache,target=/root/.cache/uv \
   && find /var/lang -type f -name "*.pyo" -delete
 
 # ============================================================
-# PyTorch builder (Python 3.13 — PyTorch, SAM2, transformers)
+# PyTorch builder (Python 3.13 — awslambdaric, PyTorch, SAM2, transformers)
 # ============================================================
 FROM builder-base-devel as builder-pytorch-py3
-COPY --from=lambda-python /var/lang /var/lang
+COPY --from=lambda-python /var/lang/bin /var/lang/bin
+COPY --from=lambda-python /var/lang/include /var/lang/include
+COPY --from=lambda-python /var/lang/lib /var/lang/lib
+RUN rm -rf /var/lang/lib/python3.13/site-packages
 ENV PATH="/var/lang/bin:$PATH"
 COPY ./docker/lambda/requirements-pytorch.txt /tmp/requirements.txt
 RUN --mount=type=cache,target=/root/.cache/uv \
@@ -133,14 +143,15 @@ RUN chmod +x /usr/local/bin/deep_learning_container.py \
   && echo 'source /usr/local/bin/bash_telemetry.sh' >>/etc/bashrc \
   && echo 'source /usr/local/bin/bash_telemetry.sh' >>/root/.bashrc \
   && bash /tmp/setup_oss_compliance.sh python3 \
-  && rm /tmp/setup_oss_compliance.sh
+  && rm /tmp/setup_oss_compliance.sh \
+  && rm -rf /var/lang/lib/python3.13/site-packages/pip \
+    /var/lang/lib/python3.13/site-packages/pip-25.3.dist-info
 WORKDIR /var/task
 ENTRYPOINT ["/lambda_entrypoint.sh", "python", "-m", "awslambdaric"]
 CMD ["handler.handler"]
 
 # ============================================================
 # Runtime: CuPy Python 3.13 (base + CuPy, NumPy, SciPy)
-# /var/lang from builder includes both Lambda RIC and our deps.
 # ============================================================
 FROM nvidia/cuda:12.8.1-runtime-amzn2023 as cupy-py3
 LABEL maintainer="Amazon AI"
@@ -177,7 +188,9 @@ RUN chmod +x /usr/local/bin/deep_learning_container.py \
   && echo 'source /usr/local/bin/bash_telemetry.sh' >>/etc/bashrc \
   && echo 'source /usr/local/bin/bash_telemetry.sh' >>/root/.bashrc \
   && bash /tmp/setup_oss_compliance.sh python3 \
-  && rm /tmp/setup_oss_compliance.sh
+  && rm /tmp/setup_oss_compliance.sh \
+  && rm -rf /var/lang/lib/python3.13/site-packages/pip \
+    /var/lang/lib/python3.13/site-packages/pip-25.3.dist-info
 WORKDIR /var/task
 ENTRYPOINT ["/lambda_entrypoint.sh", "python", "-m", "awslambdaric"]
 CMD ["handler.handler"]
@@ -225,7 +238,9 @@ RUN chmod +x /usr/local/bin/deep_learning_container.py \
   && echo 'source /usr/local/bin/bash_telemetry.sh' >>/etc/bashrc \
   && echo 'source /usr/local/bin/bash_telemetry.sh' >>/root/.bashrc \
   && bash /tmp/setup_oss_compliance.sh python3 \
-  && rm /tmp/setup_oss_compliance.sh
+  && rm /tmp/setup_oss_compliance.sh \
+  && rm -rf /var/lang/lib/python3.13/site-packages/pip \
+    /var/lang/lib/python3.13/site-packages/pip-25.3.dist-info
 WORKDIR /var/task
 ENTRYPOINT ["/lambda_entrypoint.sh", "python", "-m", "awslambdaric"]
 CMD ["handler.handler"]
diff --git a/docker/lambda/requirements-base.txt b/docker/lambda/requirements-base.txt
@@ -1,3 +1,5 @@
+awslambdaric==3.1.1
+pip==25.3
 pip-licenses==5.5.1
 requests==2.32.5
 setuptools==78.1.1
diff --git a/docker/lambda/requirements-cupy.txt b/docker/lambda/requirements-cupy.txt
@@ -1,9 +1,11 @@
+awslambdaric==3.1.1
 boto3==1.40.4
 cupy-cuda12x==14.0.1
 cvxpy==1.8.1
 numba==0.64.0
 numpy==2.4.2
 pandas==3.0.1
+pip==25.3
 pip-licenses==5.5.1
 requests==2.32.5
 scipy==1.17.1
diff --git a/docker/lambda/requirements-pytorch.txt b/docker/lambda/requirements-pytorch.txt
@@ -1,12 +1,14 @@
 --extra-index-url https://download.pytorch.org/whl/cu128
 accelerate==1.12.0
 av==16.1.0
+awslambdaric==3.1.1
 boto3==1.40.4
 diffusers==0.36.0
 librosa==0.11.0
 numpy==2.4.2
 opencv-python-headless==4.13.0.92
 pillow==12.1.1
+pip==25.3
 pip-licenses==5.5.1
 requests==2.32.5
 safetensors==0.7.0
diff --git a/test/security/data/ecr_scan_allowlist/lambda/framework_allowlist.json b/test/security/data/ecr_scan_allowlist/lambda/framework_allowlist.json
@@ -1,9 +1,5 @@
 [
-    {
-        "vulnerability_id": "CVE-2024-6345",
-        "reason": "setuptools package_index RCE; pinned to setuptools==78.1.1 in requirements but ECR scan detects older copy bundled in uv or the Lambda base image's pip, which cannot be patched via requirements.",
-        "review_by": "2026-03-24"
-    },
+
     {
         "vulnerability_id": "CVE-2025-4138",
         "reason": "Python tarfile symlink extraction filter bypass (stdlib); cannot be patched via pip. Lambda images do not extract untrusted tar archives at runtime.",
@@ -24,11 +20,7 @@
         "reason": "Python tarfile arbitrary write with filter=data (stdlib); cannot be patched via pip. Lambda images do not extract untrusted tar archives at runtime.",
         "review_by": "2026-03-24"
     },
-    {
-        "vulnerability_id": "CVE-2025-47273",
-        "reason": "setuptools path traversal; pinned to setuptools==78.1.1 in requirements but ECR scan detects older copy bundled in uv or the Lambda base image's pip, which cannot be patched via requirements.",
-        "review_by": "2026-03-24"
-    },
+
     {
         "vulnerability_id": "CVE-2025-47912",
         "reason": "Go net/url insufficient validation of bracketed IPv6 hostnames; present in NVIDIA CUDA base image Go tooling, not exposed by Lambda runtime.",
@@ -44,11 +36,7 @@
         "reason": "Python tarfile extraction API defect (stdlib); cannot be patched via pip. Lambda images do not extract untrusted tar archives at runtime.",
         "review_by": "2026-03-24"
     },
-    {
-        "vulnerability_id": "CVE-2026-21441",
-        "reason": "urllib3 decompression bomb on redirect responses; pinned to urllib3==2.6.3 in requirements files but ECR scan may still report against bundled copies in transitive deps.",
-        "review_by": "2026-03-24"
-    },
+
     {
         "vulnerability_id": "CVE-2026-23949",
         "reason": "CVE details not yet published; present in NVIDIA CUDA base image, no fix available in AL2023 repo.",

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+awslambdaric==3.1.1`
	`2`	`+pip==25.3`
`1`	`3`	`pip-licenses==5.5.1`
`2`	`4`	`requests==2.32.5`
`3`	`5`	`setuptools==78.1.1`