We recently deployed 1Pass SCIM to our GCP environment, but our vulnerability management tool has flagged a number of high and critical vulnerabilities with the deployment. They primarily appear to be with the Google Container Optimized OS environment the SCIM is using. Example below.
My main question is what the appropriate process for remediating/patching these vulnerabilities? I am new to SCIM and GCP, so I'm a bit unsure of the right path forward. At first glance, it appears the container is tied to the main SCIM provision, and isn't independently upgraded. Anyway, the question is what is the best path forward to patch for these vulnerabilities? It appears the Container OS needs to be upgraded.
The machine running Container-Optimized OS version 89.16108.604.28 is vulnerable to CVE-2022-1292, which exists in versions >= 220.127.116.11, < 89.16108.659.14. The vulnerability affects the package openssl, which is installed by default on the Container-Optimized OS image.
The vulnerability was found in the Container-Optimized OS Release Notes with NVD severity: Critical.
The vulnerability can be remediated by updating the image version to 89.16108.659.14 or higher.
Detailed Name openssl
Fixed Version 89.16108.659.14
Detection Method Operating System
Data Source Link cloud.google.com
Detected by Package openssl
Description The package zlib1g version 1:1.2.11.dfsg-2 was detected in APT package manager on a container image running Debian 11.0 is vulnerable to CVE-2018-25032, which exists in versions < 1:1.2.11.dfsg-2+deb11u1.
The vulnerability was found in the Official Debian Security Advisories with vendor severity: High (NVD severity: High).
The vulnerability can be remediated by updating the package to version 1:1.2.11.dfsg-2+deb11u1 or higher, by adding the following command to the Dockerfile: RUN apt upgrade zlib1g.
Detailed Name zlib1g
Fixed Version 1:1.2.11.dfsg-2+deb11u1
Thanks in advance for any help or pointers.
1Password Version: 2.4.0
Extension Version: Not Provided
OS Version: Google Container Optimized OS