search

Azure / AzureML-Containers

Docker containers for running training scripts on AzureML
MIT License
228 stars 88 forks source link

Image openmpi4.1.0-ubuntu22.04 is being flagged for multiple vulnerabilities #203

Closed v4nfalen closed 1 month ago

v4nfalen commented 1 month ago

We are using openmpi4.1.0-ubuntu22.04 in an AzureML pipeline for training models, however this image is getting flagged for the following vulnerabilities:

Common Base Linux Mariner (CBL-Mariner) Security Update for Open Secure Sockets Layer (OpenSSL) (43309) Common Base Linux Mariner (CBL-Mariner) Security Update for curl (34061) Common Base Linux Mariner (CBL-Mariner) Security Update for curl (37077) Common Base Linux Mariner (CBL-Mariner) Security Update for curl (37078) Common Base Linux Mariner (CBL-Mariner) Security Update for curl (47049) Common Base Linux Mariner (CBL-Mariner) Security Update for expat (48372) Common Base Linux Mariner (CBL-Mariner) Security Update for expat (48454) Common Base Linux Mariner (CBL-Mariner) Security Update for expat (48466) Common Base Linux Mariner (CBL-Mariner) Security Update for libarchive (42383) Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (33500) Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (33501) Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (33502) Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (33503) Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (33504) Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (33505) Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (33506) Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (33508) Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (33509) Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (33510) Common Base Linux Mariner (CBL-Mariner) Security Update for openldap (27011) Common Base Linux Mariner (CBL-Mariner) Security Update for postgresql (47690) Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (42796) Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (47860) Common Base Linux Mariner (CBL-Mariner) Security Update for wget (42691) GO (Go) Security Update for github.com/go-jose/go-jose/v3 (GHSA-c5q2-7r4c-mv6g) GO (Go) Security Update for github.com/hashicorp/go-retryablehttp (GHSA-v6v8-xj6m-xwqh) GO (Go) Security Update for golang.org/x/crypto (GHSA-45x7-px36-x8w8) GO (Go) Security Update for golang.org/x/net (GHSA-2wrh-6pvc-2jm9) GO (Go) Security Update for golang.org/x/net (GHSA-4374-p667-p6c8) GO (Go) Security Update for golang.org/x/net (GHSA-qppj-fm5r-hxr3) GO (Go) Security Update for golang.org/x/net/http2 (GHSA-4v7x-pqxf-cx7m) Java (Maven) Security Update for com.fasterxml.jackson.core:jackson-databind (GHSA-jjjh-jjxp-wpff) Java (Maven) Security Update for com.fasterxml.jackson.core:jackson-databind (GHSA-rgv9-q543-rqg4) Java (Maven) Security Update for com.fasterxml.woodstox:woodstox-core (GHSA-3f7h-mf4q-vrm4) Java (Maven) Security Update for com.google.guava:guava (GHSA-7g45-4rm6-3mm3) Java (Maven) Security Update for com.google.protobuf:protobuf-java (GHSA-4gg5-vx3j-xwc7) Java (Maven) Security Update for com.google.protobuf:protobuf-java (GHSA-735f-pc8j-v9w8) Java (Maven) Security Update for com.google.protobuf:protobuf-java (GHSA-g5ww-5jh7-63cx) Java (Maven) Security Update for com.google.protobuf:protobuf-java (GHSA-h4h5-3hr4-j3g2) Java (Maven) Security Update for com.google.protobuf:protobuf-parent (GHSA-77rm-9x9h-xj3g) Java (Maven) Security Update for com.nimbusds:nimbus-jose-jwt (GHSA-gvpg-vgmx-xg6w) Java (Maven) Security Update for commons-net:commons-net (GHSA-cgp8-4m63-fhh5) Java (Maven) Security Update for dnsjava:dnsjava (GHSA-cfxw-4h78-h7fw) Java (Maven) Security Update for dnsjava:dnsjava (GHSA-crjg-w57m-rqqf) Java (Maven) Security Update for dnsjava:dnsjava (GHSA-mmwx-rj87-vfgr) Java (Maven) Security Update for io.netty:netty-codec-http2 (GHSA-xpw8-rcwv-8f8p) Java (Maven) Security Update for net.minidev:json-smart (GHSA-493p-pfq6-5258) Java (Maven) Security Update for org.apache.avro:avro (GHSA-rhrv-645h-fjfh) Java (Maven) Security Update for org.apache.commons:commons-compress (GHSA-4265-ccf5-phj5) Java (Maven) Security Update for org.apache.commons:commons-compress (GHSA-4g9r-vxhx-9pgx) Java (Maven) Security Update for org.apache.commons:commons-compress (GHSA-cgwf-w82q-5jrr) Java (Maven) Security Update for org.apache.commons:commons-configuration2 (GHSA-9w38-p64v-xpmv) Java (Maven) Security Update for org.apache.commons:commons-configuration2 (GHSA-xjp4-hw94-mvp5) Java (Maven) Security Update for org.apache.mesos:mesos (GHSA-95q3-pppp-r683) Java (Maven) Security Update for org.apache.zookeeper:zookeeper (GHSA-7286-pgfv-vxvh) Java (Maven) Security Update for org.apache.zookeeper:zookeeper (GHSA-r978-9m6m-6gm6) Java (Maven) Security Update for org.eclipse.jetty:jetty-http (GHSA-hmr7-m48g-48f6) Java (Maven) Security Update for org.eclipse.jetty:jetty-xml (GHSA-58qw-p7qm-5rvh) Java (maven) Security Update for com.google.guava:guava (GHSA-mvr2-9pj6-7w5j) Java (maven) Security Update for com.google.protobuf:protobuf-kotlin (GHSA-wrvw-hg22-4m67) Java (maven) Security Update for net.minidev:json-smart (GHSA-fg2v-w576-w4v3) Oracle MySQL JAN 2024 Critical Patch Update (CPUJAN2024) Python (Pip) Security Update for @azure/identity (GHSA-m5vv-6r4h-3vj9) Python (Pip) Security Update for Pillow (GHSA-3f63-hfp8-52jq) Python (Pip) Security Update for Pillow (GHSA-j7hp-h8jx-5ppr) Python (Pip) Security Update for apache-superset (GHSA-299q-3p96-5898) Python (Pip) Security Update for apache-superset (GHSA-2q6j-vpvr-6pvj) Python (Pip) Security Update for apache-superset (GHSA-3hp7-4qq4-v5c6) Python (Pip) Security Update for apache-superset (GHSA-3v9r-885j-762g) Python (Pip) Security Update for apache-superset (GHSA-5474-f7g5-273q) Python (Pip) Security Update for apache-superset (GHSA-5cx2-vq3h-x52c) Python (Pip) Security Update for apache-superset (GHSA-95mg-jgfx-54v9) Python (Pip) Security Update for apache-superset (GHSA-cj7g-h7rf-h8j9) Python (Pip) Security Update for apache-superset (GHSA-f678-j579-4xf5) Python (Pip) Security Update for apache-superset (GHSA-fgpw-4w69-j256) Python (Pip) Security Update for apache-superset (GHSA-fxjg-28fm-pfxh) Python (Pip) Security Update for apache-superset (GHSA-g49j-j489-3xpf) Python (Pip) Security Update for apache-superset (GHSA-h7r6-8qmm-hj5r) Python (Pip) Security Update for apache-superset (GHSA-hc74-9vjm-c9xv) Python (Pip) Security Update for apache-superset (GHSA-hcr7-cqwc-q5gq) Python (Pip) Security Update for apache-superset (GHSA-jfxj-xf67-x723) Python (Pip) Security Update for apache-superset (GHSA-m6jm-3v38-76j4) Python (Pip) Security Update for apache-superset (GHSA-rwhh-6x83-84v6) Python (Pip) Security Update for apache-superset (GHSA-vv65-fjfj-4736) Python (Pip) Security Update for apache-superset (GHSA-wq8q-99p5-xfrw) Python (Pip) Security Update for apache-superset (GHSA-wr6g-9wcr-cmqj) Python (Pip) Security Update for certifi (GHSA-248v-346w-9cwc) Python (Pip) Security Update for cryptography (GHSA-h4gh-qq45-vh27) Python (Pip) Security Update for urllib3 (GHSA-34jh-p97f-mpxf) Python (Pip) Security Update for zipp (GHSA-jfmj-5v4g-7637) Python (pip) Security Update for apache-superset (GHSA-42q4-9xf9-f67x) Python (pip) Security Update for apache-superset (GHSA-5fp8-c45m-256p) Python (pip) Security Update for apache-superset (GHSA-748r-5r8q-273m) Python (pip) Security Update for apache-superset (GHSA-77pw-c3j2-5fc8) Python (pip) Security Update for apache-superset (GHSA-9c29-9h4m-wg5p) Python (pip) Security Update for apache-superset (GHSA-hhm3-48h2-597v) Python (pip) Security Update for apache-superset (GHSA-p5w7-qmq6-pmjr) Python (pip) Security Update for apache-superset (GHSA-pg8m-4p8j-2p56) Python (pip) Security Update for apache-superset (GHSA-w358-rj93-r5qv) Python (pip) Security Update for apache-superset (GHSA-wh73-hpcg-v32j) Python (pip) Security Update for superset (GHSA-pfwg-rxf4-97c3) Ubuntu Security Notification for Expat Vulnerabilities (USN-7000-1) Ubuntu Security Notification for Kerberos Vulnerabilities (USN-6947-1) Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-6937-1) Ubuntu Security Notification for Python Vulnerabilities (USN-6891-1) Ubuntu Security Notification for Python Vulnerabilities (USN-6928-1) Ubuntu Security Notification for Python Vulnerabilities (USN-7015-1) Ubuntu Security Notification for curl Vulnerability (USN-6944-1) Ubuntu Security Notification for curl Vulnerability (USN-7012-1) Ubuntu Security Notification for nginx Vulnerability (USN-7014-1)

What are the plans with regards to fixing these for this image ?

Thanks in advance for the help !!

vizhur commented 1 month ago

Our images are patched regularly, promised SLA is 30 days, but most of the time within a week. There are no patchable vulnerabilities in AzureML base images, neither most of the libraries mentioned above.