search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.01k stars 2.98k forks source link

Please publish updated image, mcr.microsoft.com/azure-cli:2.49.0 contains vulnerabilities #26695

Closed obohaciak closed 1 year ago

obohaciak commented 1 year ago

Related command

No response

Resource Provider

N/A

Description of Feature or Work Requested

Hi azure-cli team,

We'd like to use mcr.microsoft.com/azure-cli:2.49.0 (sha256:a30f6eb2d5f8f6c69100bb4a91e7de465d784332dfd7206448185754b9e9fde2, published 05/23/2023) in our product, however it contains known vulnerabilities.

Using the 2.49.0 tag would put us in violation of Microsoft Security policies as some of these vulnerabilities are older than 30 days (SLA defines 30 days as a period when patches need to be applied since vulnerability disclosure).

image

I'm listing them here:

I forked azure-cli repo, made changes to Dockerfile and published our own image to our ACR. Still, we'd like to consume the image from MCR as that's the guidance we should follow.

Feel free to get in touch with me on further details.

Regards, Ondrej

Minimum API Version Required

N/A

Swagger PR link / SDK link

N/A

Request Example

No response

Target Date

2023-06-22

Additional context

No response

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

austindonnelly commented 1 year ago

I also have this coming up as an S360 alert, with <30 days left to resolve. The dependency tree from pipdeptree looks like this;

azure-cli-core==2.49.0
...
├── msal [required: ==1.20.0, installed: 1.20.0]
│   ├── cryptography [required: >=0.6,<41, installed: 40.0.1]
...

The problem comes from msal==1.20.0 requiring cryptography<41 because this forces older versions of the cryptography package which include a vulnerable static copy of OpenSSL. This is detailed in https://github.com/advisories/GHSA-5cpq-8wj7-hf2v

There's a new version msal==1.22.0 which fixes this dependency, so hopefully azure-cli-core can just update dependencies to use that version, and publish a new version of azure-cli-core to PyPI to fix this. Please could you do this soon!

Thanks!

bebound commented 1 year ago

requests is bumped in https://github.com/Azure/azure-cli/pull/26571 openssl and binutils will be updated once there is new version in Alpine repo in next release.

The reason of using old version cryptography is in https://github.com/Azure/azure-cli/pull/25690. We are working on Windows 64-bit MSI package in #26640. Once it's finished, we'll bump it.

@austindonnelly msal is bumped in https://github.com/Azure/azure-cli/pull/26668.

austindonnelly commented 1 year ago

Thanks - #26668 looks like a good fix to me. What's the release plan? Presumably a new azure-cli release to PyPI? What sort of timeline are you looking at?

bebound commented 1 year ago

@austindonnelly Next release date is July 4th.

bebound commented 1 year ago

Close as https://github.com/Azure/azure-cli/pull/26671 is merged.