Security

Table of Contents

• Reporting Security Vulnerabilities

• Known Vulnerabilities

• Security Features

• Security Update Policy

• Incident Response

• Additional Resources

Reporting Security Vulnerabilities

If you discover a security vulnerability in SG Provisioner, please report it to:

Email: security@axontechlabs.com Response Time: Within 24 hours for critical issues

Please include:

• Description of the vulnerability

• Steps to reproduce

• Potential impact

• Suggested fix (if available)

Known Vulnerabilities

Base Image Vulnerabilities

All known vulnerabilities originate from the Debian base image used by the official python:3.13-slim Docker image. No vulnerabilities exist in SG Provisioner application code or Python dependencies.

Summary (as of 2026-05-05): 0 Critical, 7 HIGH, 42 MEDIUM, 63 LOW

HIGH Severity

CVE	Component	Description
CVE-2026-4878	libcap	Privilege escalation via TOCTOU race condition in cap_set_file()
CVE-2025-69720	ncurses	Buffer overflow vulnerability may lead to arbitrary code execution
CVE-2026-29111	systemd	Arbitrary code execution or Denial of Service via spurious IPC

Impact Assessment: All vulnerabilities are in base image system libraries. SG Provisioner does not directly invoke the affected functions. No fixes are currently available from Debian.

For the full vulnerability list run:

trivy image sg-provisioner:latest

Common Mitigations

• Container runs as non-root user (sguser) with restricted permissions

• No network services exposed by the container

• AWS credentials are mounted read-only at runtime

• Container runs non-interactively — no shell access

• Multi-stage Docker build separates build dependencies from runtime

• Cython compilation protects application source code

Security Features

Container Security

• Non-root user: Container runs as sguser (UID 1000)

• Minimal base image: python:3.13-slim for reduced attack surface

• Multi-stage build: Separates build dependencies from runtime

• Source protection: Core modules compiled to .so files via Cython

• No hardcoded credentials: All credentials provided at runtime

• Read-only mounts: AWS credentials mounted as read-only

• Health checks: Container health monitoring enabled

• No exposed ports: Container exposes no network services

Application Security

• Input validation: All configuration validated against JSON Schema

• Path traversal prevention: Config filenames cannot contain path separators

• IAM least privilege: Split SSM permissions (read VPC, manage SG)

• License validation: AWS Marketplace license verification

• Audit logging: All operations logged with timestamps

• Scenario validation: Security checks block dangerous patterns (open DB ports, SSH from public)

Security Group Validation

The scenario validator checks for:

• Database ports open to 0.0.0.0/0 or ::/0 (ERROR)

• SSH (22) or RDP (3389) open to the world (WARNING)

• Missing security group descriptions (ERROR)

• References to non-existent tiers (ERROR)

Security Update Policy

Severity	Response Time
Critical	Patched within 24 hours
High	Patched within 7 days
Medium	Patched within 30 days
Low	Patched in next regular release

Updates announced via:

• Release notes

• AWS Marketplace product updates

• Security advisories (this document)

Incident Response

Response Process

1. Detection: Vulnerability identified via scanning or reporting

2. Assessment: Evaluate severity and impact

3. Containment: Implement temporary mitigations if needed

4. Remediation: Develop and test fix

5. Deployment: Release patched version

6. Communication: Notify customers

Contact Information

• Security Team: security@axontechlabs.com

• Emergency Response: Available 24/7 for critical issues

Additional Resources

• IAM Permissions — required AWS permissions

• Security Guidelines — detailed security practices

• AWS Security Best Practices

Copyright © 2025 Axon Tech Labs. All rights reserved.