Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please publish updated image, mcr.microsoft.com/azure-cli:2.49.0 contains vulnerabilities #26695

Closed
obohaciak opened this issue Jun 16, 2023 · 6 comments
Closed

Please publish updated image, mcr.microsoft.com/azure-cli:2.49.0 contains vulnerabilities #26695

obohaciak opened this issue Jun 16, 2023 · 6 comments
Assignees
@bebound @jiasli
Labels
Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request
Milestone
Backlog

Comments

@obohaciak
Copy link

Related command

No response

Resource Provider

N/A

Description of Feature or Work Requested

Hi azure-cli team,

We'd like to use mcr.microsoft.com/azure-cli:2.49.0 (sha256:a30f6eb2d5f8f6c69100bb4a91e7de465d784332dfd7206448185754b9e9fde2, published 05/23/2023) in our product, however it contains known vulnerabilities.

Using the 2.49.0 tag would put us in violation of Microsoft Security policies as some of these vulnerabilities are older than 30 days (SLA defines 30 days as a period when patches need to be applied since vulnerability disclosure).

image

I'm listing them here:

  • cryptography 38.0.4 (pip)
  • requests 2.26.0 (pip)
  • openssl 3.1.0-r4 (apk)
  • binutils 2.40-r6 (apk)

I forked azure-cli repo, made changes to Dockerfile and published our own image to our ACR. Still, we'd like to consume the image from MCR as that's the guidance we should follow.

Feel free to get in touch with me on further details.

Regards,
Ondrej

Minimum API Version Required

N/A

Swagger PR link / SDK link

N/A

Request Example

No response

Target Date

2023-06-22

Additional context

No response
@ghost ghost added the customer-reported Issues that are reported by GitHub users external to the Azure organization. label Jun 16, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Jun 16, 2023

Thank you for opening this issue, we will look into it.

@austindonnelly
Copy link

I also have this coming up as an S360 alert, with <30 days left to resolve.
The dependency tree from pipdeptree looks like this;

azure-cli-core==2.49.0
...
├── msal [required: ==1.20.0, installed: 1.20.0]
│   ├── cryptography [required: >=0.6,<41, installed: 40.0.1]
...

The problem comes from msal==1.20.0 requiring cryptography<41 because this forces older versions of the cryptography package which include a vulnerable static copy of OpenSSL. This is detailed in GHSA-5cpq-8wj7-hf2v

There's a new version msal==1.22.0 which fixes this dependency, so hopefully azure-cli-core can just update dependencies to use that version, and publish a new version of azure-cli-core to PyPI to fix this.
Please could you do this soon!

Thanks!

@yonzhan yonzhan added Azure CLI Team The command of the issue is owned by Azure CLI team bug This issue requires a change to an existing behavior in the product in order to be resolved. and removed bug This issue requires a change to an existing behavior in the product in order to be resolved. labels Jun 16, 2023
@yonzhan yonzhan added this to the Backlog milestone Jun 16, 2023
@bebound
Copy link
Contributor

bebound commented Jun 19, 2023

requests is bumped in #26571
openssl and binutils will be updated once there is new version in Alpine repo in next release.

The reason of using old version cryptography is in #25690. We are working on Windows 64-bit MSI package in #26640. Once it's finished, we'll bump it.

@austindonnelly msal is bumped in #26668.

@austindonnelly
Copy link

Thanks - #26668 looks like a good fix to me.
What's the release plan? Presumably a new azure-cli release to PyPI? What sort of timeline are you looking at?

@bebound
Copy link
Contributor

bebound commented Jun 20, 2023

@austindonnelly Next release date is July 4th.

@bebound
Copy link
Contributor

bebound commented Jul 12, 2023

Close as #26671 is merged.

@bebound bebound closed this as completed Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bebound bebound

@jiasli jiasli

Labels
Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
5 participants
@bebound @jiasli @austindonnelly @obohaciak @yonzhan