CVE-2024-34158

[curtdept]

Detectors are picking up a CVE in this lambda layer on 1.5.7

https://nvd.nist.gov/vuln/detail/CVE-2024-34158

Looks like go was bumped in Feb but this hasn't made a published release.

https://github.com/elastic/apm-aws-lambda/blob/5006279928ce999a9e580206237a00fd7c63a83c/go.mod

[christos68k]

I believe this is a false positive as apm-aws-lambda does not use 'go/build/constraint'. Nevertheless the PR that @florianl linked should make the alerts/detections go away.

[curtdept]

For PPC64, this PR should also resolve https://nvd.nist.gov/vuln/detail/CVE-2025-22866

[curtdept]

@florianl do you know when you might bump the release version on this?

[hsharif-rh]

Hey @florianl, when can we expect this to be reflected for the following layers:

FROM docker.elastic.co/observability/apm-lambda-extension-x86_64:latest AS lambda-extension
FROM docker.elastic.co/observability/apm-agent-nodejs:latest AS nodejs-agent

We've been seeing a lot of noise around vulnerabilities around Go. Do you have a rollout scheduled? Thank you.

[curtdept]

@hsharif-rh I dunno what's going on with the releases for this these days.

If you want, sync the repo and "make zip" and it will give you the layer package you can deploy to AWS. You will need golang and syft installed first.

[christos68k]

Hi all, we published 1.5.8 (I bumped Go to 1.23.8 as 1.23.7 had more CVEs).