Hello All, Our cybersecurity division recently started auditing all of our EC2 instances on a much more granular level, and with that my AWS EC2 instance of the UTM9 AMI got flagged for some of the packages being out of date. Their recommendations are the following: Finding Severity Component Name Version Fixed Version End-of-Life Postfix 2.11.0 Medium Postfix 2.11.0 3.6.11 End-of-Life Python Interpreter 2.7.6 Medium Python Interpreter 2.7.6 3.9.18 End-of-Life OpenSSL 1.0.2p Medium OpenSSL 1.0.2p 3.0.15 End-of-Life PostgreSQL 9.2.24 Medium PostgreSQL 9.2.24 13.18 My question is, how do I go about getting these individual packages up to date? I've made sure that Up2Date is running the latest and greatest available version of the firmware through the GUI, so is there another way to get these packages up to date? I do have SSH/CLI access if that's an applicable route.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Updating Packages on EC2 AMI Instance of UTM 9

Hello All,

Our cybersecurity division recently started auditing all of our EC2 instances on a much more granular level, and with that my AWS EC2 instance of the UTM9 AMI got flagged for some of the packages being out of date. Their recommendations are the following:

Finding	Severity	Component Name	Version	Fixed Version
End-of-Life Postfix 2.11.0	Medium	Postfix	2.11.0	3.6.11
End-of-Life Python Interpreter 2.7.6	Medium	Python Interpreter	2.7.6	3.9.18
End-of-Life OpenSSL 1.0.2p	Medium	OpenSSL	1.0.2p	3.0.15
End-of-Life PostgreSQL 9.2.24	Medium	PostgreSQL	9.2.24	13.18

My question is, how do I go about getting these individual packages up to date? I've made sure that Up2Date is running the latest and greatest available version of the firmware through the GUI, so is there another way to get these packages up to date? I do have SSH/CLI access if that's an applicable route.

This thread was automatically locked due to age.

0 Jim DeMatt 7 months ago

Bumping topic, I haven't seen this answered anywhere the more that I research. Is this just not possible? Am I forced to migrate to another device?
- 0 LuCar Toni 7 months ago in reply to Jim DeMatt
  
  Usually those components are not reachable from outside and are used for the own system. How did the Team find those components?
  Because you cannot update them and Sophos always fix exploitable software at their own measurements: Means upgrading OpenSSL to a new version is a huge undertaking, hence we are more likely fixing the individual issue rather then doing an update of the entire library.
  
  This discussion is not a new one, but i did not see a security auditor logging into a system and reviewing the used software of a closed system like UTM.
  
  __________________________________________________________________________________________________________________
  - 0 Frank Gothe 7 months ago in reply to LuCar Toni
    
    I'd assume at least Postfix and OpenSSL face the outside directly, Python may be arguable but in case you offer a User portal they'll do.
  - 0 LuCar Toni 7 months ago in reply to Frank Gothe
    
    Why would be Postfix and OpenSSL be used for reachable sites?
    
    __________________________________________________________________________________________________________________
  - 0 Jim DeMatt 7 months ago in reply to LuCar Toni
    
    From what I gather, they're using agents that have full IAM permissions within the VPC to interrogate the EC2 instances and appliances from the inside out. I was surprised as well.
  - 0 LuCar Toni 7 months ago in reply to Jim DeMatt
    
    Overall, it is unusual (to me) to inspect an instance from within, as it is sold and installed as one product.
    
    Can you not flag this appliance as a "Sophos up2date" product and it is not able to update individual libraries? If there is the need to update a certain issue / vulnerabilities, we can look into this, but you cannot simply build the statement - Each Vulnerability patched between version used and version on current is exploitable.
    
    __________________________________________________________________________________________________________________
  - 0 Jim DeMatt 7 months ago in reply to LuCar Toni
    
    Is there a publicly available list that shows that Sophos has patched the known vulnerabilities in the flagged versions? I'm just looking for an explanation why this is running technically out of date packages. I have a feeling they are not looking at this holistically, but rather as a generic linux box.
  - 0 LuCar Toni 7 months ago in reply to Jim DeMatt
    
    Unlikely. We are not listing such information. This is an old discussion about version scanning. Often it can be classified as "Closed Software".
    
    __________________________________________________________________________________________________________________
  - 0 Jim DeMatt 7 months ago in reply to LuCar Toni
    
    Got it, and thanks for the clarification! I went ahead and started the process of reclassification / exception handling with our internal auditing teams.