Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please update Docker Image due to Security Issues CVE-2024-39689 CVE-2024-6345 #29397

Closed
coding-jj opened this issue Jul 16, 2024 · 2 comments
Closed

Please update Docker Image due to Security Issues CVE-2024-39689 CVE-2024-6345 #29397

coding-jj opened this issue Jul 16, 2024 · 2 comments
Assignees
@bebound
Labels
Azure CLI Team The command of the issue is owned by Azure CLI team bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Issues that are reported by GitHub users external to the Azure organization.
Milestone
Backlog

Comments

@coding-jj
Copy link

coding-jj commented Jul 16, 2024
edited
Loading

Describe the bug

Please update the Docker image. trivy shows that the container is affected by two CVE:

Related command

docker run -it mcr.microsoft.com/azure-cli:latest

trivy --scanners vuln image mcr.microsoft.com/azure-cli:latest

Errors

Trivy Output

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ certifi (METADATA)    │ CVE-2024-39689 │ LOW      │ fixed  │ 2023.7.22         │ 2024.07.04    │ python-certifi: Remove root certificates from `GLOBALTRUST` │
│                       │                │          │        │                   │               │ from the root store                                         │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-39689                  │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2024-6345  │ HIGH     │        │ 65.5.1            │ 70.0.0        │ pypa/setuptools: Remote code execution via download         │
│                       │                │          │        │                   │               │ functions in the package_index module in...                 │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6345                   │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Issue script & Debug output

No Debug Output

Expected behavior

Please let some Security Test like Trivy https://github.com/aquasecurity/trivy run daily in your Pipeline and update the Security affected dependencies on short notice. Especially the update of python dependencies is complex. I tried to update to all the new packages, which will result in a non functioning azure-cli.

pip --disable-pip-version-check list --outdated --format=json | jq -r '.[] | .name' | xargs -n1 pip install -U

Security Updates should not be done, by the user of the container, but by the project itself!

Environment Summary

azure-cli 2.62.0

core 2.62.0
telemetry 1.1.0

Dependencies:
msal 1.28.1
azure-mgmt-resource 23.1.1

Python location '/usr/local/bin/python'
Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.11.9 (main, Jun 27 2024, 03:24:56) [GCC 13.2.1 20240309]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response
@coding-jj coding-jj added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Jul 16, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the customer-reported Issues that are reported by GitHub users external to the Azure organization. label Jul 16, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Jul 16, 2024

Thank you for opening this issue, we will look into it.

@yonzhan yonzhan added the Azure CLI Team The command of the issue is owned by Azure CLI team label Jul 17, 2024
@yonzhan yonzhan added this to the Backlog milestone Jul 17, 2024
@bebound
Copy link
Contributor

bebound commented Jul 22, 2024

They are fixed in #29320 and #29433

@bebound bebound closed this as completed Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bebound bebound

Labels
Azure CLI Team The command of the issue is owned by Azure CLI team bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Issues that are reported by GitHub users external to the Azure organization.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@bebound @coding-jj @yonzhan