SecurityΒΆ
Table of ContentsΒΆ
Reporting Security VulnerabilitiesΒΆ
If you discover a security vulnerability in SEC Provisioner, please report it to:
Email: security@axontechlabs.com
Response Time: Within 24 hours for critical issues
Please include:
Description of the vulnerability
Steps to reproduce
Potential impact
Suggested fix (if available)
Known VulnerabilitiesΒΆ
Base Image VulnerabilitiesΒΆ
All known vulnerabilities originate from the Debian 13.4 (trixie) base image used by the official python:3.13-slim Docker image. No vulnerabilities exist in SEC Provisioner application code or Python dependencies.
HIGH SeverityΒΆ
CVE-2026-4046 (glibc iconv Denial of Service)ΒΆ
Status: fix_deferred
Severity: HIGH
Affected Component: glibc (libc-bin, libc6) 2.41-12+deb13u2
Source: Official Python Docker image (python:3.13-slim)
Description:
Denial of Service via the iconv() function when processing specific character sets. Present in the GNU C Library shipped with Debian 13.4.
Impact Assessment:
Upstream dependency vulnerability, not in SEC Provisioner application code
SEC Provisioner does not use iconv() for character set conversion
Difficult to exploit in containerized environments with no user-facing input parsing
Debian has deferred the fix to a future release
References:
CVE-2025-69720 (ncurses Buffer Overflow)ΒΆ
Status: affected
Severity: HIGH
Affected Component: ncurses (libncursesw6, libtinfo6, ncurses-base, ncurses-bin) 6.5+20250216-2
Source: Official Python Docker image (python:3.13-slim)
Description:
Buffer overflow vulnerability in ncurses that may lead to arbitrary code execution. Present in the ncurses library shipped with Debian 13.4.
Impact Assessment:
Upstream dependency vulnerability, not in SEC Provisioner application code
SEC Provisioner does not use ncurses for terminal interaction
Container runs non-interactively via entrypoint script β no terminal UI
No fix available from Debian
References:
CVE-2026-29111 (systemd Arbitrary Code Execution)ΒΆ
Status: affected
Severity: HIGH
Affected Component: systemd (libsystemd0, libudev1) 257.9-1~deb13u1
Source: Official Python Docker image (python:3.13-slim)
Description:
Arbitrary code execution or Denial of Service via spurious IPC in systemd. Present in the systemd libraries shipped with Debian 13.4.
Impact Assessment:
Upstream dependency vulnerability, not in SEC Provisioner application code
SEC Provisioner does not interact with systemd IPC mechanisms
Container does not run systemd β uses a simple entrypoint script
No fix available from Debian
References:
MEDIUM SeverityΒΆ
CVE |
Component |
Version |
Description |
|---|---|---|---|
CVE-2026-4437 |
glibc (libc-bin, libc6) |
2.41-12+deb13u2 |
Incorrect DNS response parsing via crafted DNS server response |
CVE-2026-4438 |
glibc (libc-bin, libc6) |
2.41-12+deb13u2 |
Invalid DNS hostname returned via gethostbyaddr functions |
CVE-2026-4105 |
systemd (libsystemd0, libudev1) |
257.9-1~deb13u1 |
Privilege escalation via improper access control in RegisterMachine D-Bus method |
CVE-2026-27171 |
zlib (zlib1g) |
1.3.dfsg+really1.3.1-1+b1 |
Denial of Service via infinite loop in CRC32 combine functions |
Impact Assessment: All MEDIUM vulnerabilities are in base image system libraries. SEC Provisioner does not directly invoke the affected functions. No fixes are currently available from Debian.
LOW SeverityΒΆ
73 LOW-severity findings exist in the Debian 13.4 base image across packages including apt, bash, coreutils, openssl, perl, shadow-utils, sqlite, tar, and util-linux. These are long-standing issues with no fixes available from Debian. They are monitored and will be resolved when upstream patches are released.
Common MitigationsΒΆ
The following mitigations apply to all base image vulnerabilities:
Using official Python Docker image from trusted source (Docker Hub)
Container runs as non-root user (
secuser) with restricted permissionsNo network services exposed by the container
Container image filesystem is read-only β writable access limited to mounted volumes
AWS credentials are mounted read-only at runtime
Container runs non-interactively β no shell access, no terminal UI
Multi-stage Docker build separates build dependencies from runtime
Customer Guidance:
When Amazon Inspector flags these vulnerabilities:
Acknowledge these are known base image vulnerabilities
Review this security disclosure for context
Implement additional security controls as needed (network isolation, IAM restrictions)
Monitor for updated SEC Provisioner releases with patched base image
Security FeaturesΒΆ
Container SecurityΒΆ
Non-root user: Container runs as
secuser(UID 1000)Minimal base image: Using
python:3.13-slimfor reduced attack surfaceMulti-stage build: Separates build dependencies from runtime
No hardcoded credentials: All credentials provided at runtime
Read-only mounts: AWS credentials mounted as read-only
Health checks: Container health monitoring enabled
OCI metadata: Full image labeling for tracking and compliance
Application SecurityΒΆ
Input validation: All configuration inputs validated against JSON schemas
IAM least privilege: Minimal IAM permissions required
Cython compilation: Core modules compiled to
.sofiles for code protectionLicense validation: AWS Marketplace license verification
Audit logging: All operations logged with timestamps
CloudFormation: Infrastructure as Code for reproducibility and audit trails
Tier-based access control: Features gated by purchased tier (startup/medium/enterprise)
IAM SecurityΒΆ
Policy templates: Pre-built least-privilege IAM policies for AWS services
Assumable roles: Cross-functional role architecture with skill-based access
Group management: IAM groups with scoped permissions per team function
CloudFormation stacks: All IAM resources managed as code for audit trails
Parameter Store integration: Stack outputs stored securely for cross-provisioner use
Managed policies: Standalone managed policies from pre-built templates, inline policies on groups managed via CloudFormation
Security Best PracticesΒΆ
For detailed security guidelines, see:
Security ScanningΒΆ
Pre-deployment ScanningΒΆ
Run security scans before deploying:
# Scan Docker image for vulnerabilities (use your tier tag)
trivy image sec-provisioner:startup-5
trivy image sec-provisioner:medium-10
trivy image sec-provisioner:enterprise-12
Continuous MonitoringΒΆ
Amazon Inspector: Scans container images in ECR
AWS Security Hub: Aggregates security findings
CloudTrail: Monitors API activity
CloudWatch: Monitors application logs and metrics
ComplianceΒΆ
StandardsΒΆ
AWS Well-Architected Framework - Security Pillar
CIS Docker Benchmark
NIST Cybersecurity Framework
IAM Security Best Practices
CertificationsΒΆ
AWS Marketplace security requirements
Container security best practices
Infrastructure as Code security standards
Security Update PolicyΒΆ
Update PriorityΒΆ
Critical vulnerabilities: Patched within 24 hours
High vulnerabilities: Patched within 7 days
Medium vulnerabilities: Patched within 30 days
Low vulnerabilities: Patched in next regular release
Update NotificationΒΆ
Security updates are announced via:
Release notes (RELEASE_NOTES)
Security advisories (this document)
AWS Marketplace product updates
Email notifications to registered customers
Incident ResponseΒΆ
Response ProcessΒΆ
Detection: Vulnerability identified via scanning or reporting
Assessment: Evaluate severity and impact
Containment: Implement temporary mitigations if needed
Remediation: Develop and test fix
Deployment: Release patched version
Communication: Notify customers and stakeholders
Review: Post-incident analysis and documentation
Contact InformationΒΆ
Security Team: security@axontechlabs.com
Emergency Response: Available 24/7 for critical issues
AWS Support: Enterprise Support for infrastructure issues