AWS container image repository vulnerability addressed

Amazon Web Services has addressed a vulnerability in the Amazon Elastic Container Register Public Gallery, a public container image repository used by Amazon Linux, Ubuntu, NGINX, and HashiCorp Consul, reports The Record, a news site by cybersecurity firm Recorded Future. Threat actors could leverage the flaw, discovered by Lightspin Director of Security Research Gafnit Amiga, to facilitate ECR Public image, layer, and registry and repository tag creation, deletion, and updates. "This vulnerability could potentially lead to denials of service, data exfiltration, lateral movement, privilege escalation, data destruction, and other multivariate attack paths that are only limited by the craftiness and goals of the adversary," said Amiga. The bug was alerted to AWS on Nov. 14, with a fix issued in less than 24 hours. "We have conducted exhaustive analysis of all logs. We are confident our review was conclusive, and that the only activity associated with this issue was between accounts owned by the researcher. No other customers accounts were affected, and no customer action is required. We would like to thank Lightspin for reporting this issue," said AWS.