aws-cli/2.17.8 on Linux is flagged as vulnerable to CVE-2024-0397

[lanzkron]

Describe the bug

Security scanners flag the Python version brought by aws-cli/2.17.8 (3.11.8) as vulnerable to CVE-2024-0397.

Expected Behavior

aws-cli should not bring vulnerable packages.

Current Behavior

Anchore reports:

A defect was discovered in the Python \u201cssl\u201d module where there is a memory\nrace condition with the ssl.SSLContext methods \u201ccert_store_stats()\u201d and\n\u201cget_ca_certs()\u201d. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. ( Evidence Locations: /usr/local/aws-cli/v2/2.17.8/dist/libpython3.11.so.1.0)

Reference Info:
https://nvd.nist.gov/vuln/detail/CVE-2024-0397

Reproduction Steps

Install latest aws-cli from https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
Run security scan

Possible Solution

Upgrade Python to 3.11.9

Additional Information/Context

No response

CLI version used

aws-cli/2.17.8

Environment details (OS name and version, etc.)

aws-cli/2.17.8 Python/3.11.8 Linux/4.14.343-260.564.amzn2.x86_64 exe/x86_64.opensuse.15

[sgentzen]

Just adding to this, I'm seeing the same results starting in 2.17.7 through 2.7.11. I had to revert to 2.17.6.

[tim-finnigan]

Thanks for reporting. In 2.17.12 the Python interpreter was updated per the CHANGELOG:

* enhancement:Python: Update bundled Python interpreter version to 3.11.9

Please update to 2.17.12+ to address this issue.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

[lanzkron]

Thanks for the prompt response!