ADAL package, which is EOL, included in latest az-cli

[virtualjack]

Describe the bug

On Linux find /usr -name "*adal" yields /usr/lib64/az/lib/python3.9/site-packages/adal (NOTE: This package is installed by the az-cli package install)

On Windows, the find command returned the package at ./Program Files/Microsoft SDKs/Azure/CLI2/Lib/site-packages/adal

Related command

az version

Errors

End-of-Life (EOL) Software Installed Control Edit

ServiceNow Create a Ticket Run an Action Export All Issues Create Automation Give Feedback

This resource is running a version of the software that is end-of-life (EOL) which usually means that it is no longer patched for security vulnerabilities. It should be updated to a supported version, deleted, or have an approved security exception on file.

Severity Medium Scope

Risks

Related Frameworks

Generates Issues Yes Tags Status Enabled Created Feb 5, 2024, 9:40 AM Last Evaluated Jun 28, 2024, 4:11 AM

Issue script & Debug output

$ az --debug cli.knack.cli: Command arguments: ['--debug'] cli.knack.cli: init debug log: Enable color in terminal. Enable VT mode. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_argument s at 0x000001E2B107B880>, <function OutputProducer.on_global_arguments at 0x000001E2B120A0C0>, <func tion CLIQuery.on_global_arguments at 0x000001E2B1237C40>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: No module found from index for '['--debug']' cli.azure.cli.core: Loading all modules and extensions cli.azure.cli.core: Discovered command modules: ['acr', 'acs', 'advisor', 'ams', 'apim', 'appconfig' , 'appservice', 'aro', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cogni tiveservices', 'compute_recommender', 'config', 'configure', 'consumption', 'container', 'containera pp', 'cosmosdb', 'databoxedge', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedbac k', 'find', 'hdinsight', 'identity', 'interactive', 'iot', 'keyvault', 'kusto', 'lab', 'managedservi ces', 'maps', 'marketplaceordering', 'monitor', 'mysql', 'netappfiles', 'network', 'policyinsights', 'privatedns', 'profile', 'rdbms', 'redis', 'relay', 'resource', 'role', 'search', 'security', 'serv icebus', 'serviceconnector', 'servicefabric', 'signalr', 'sql', 'sqlvm', 'storage', 'synapse', 'util ', 'vm'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: acr 0.224 36 149 cli.azure.cli.core: acs 0.046 14 76 cli.azure.cli.core: advisor 0.003 3 6 cli.azure.cli.core: ams 0.005 22 100 cli.azure.cli.core: apim 0.008 14 69 cli.azure.cli.core: appconfig 0.004 9 47 cli.azure.cli.core: appservice 0.109 79 270 cli.azure.cli.core: aro 0.022 1 10 cli.azure.cli.core: backup 0.005 16 60 cli.azure.cli.core: batch 0.031 34 102 cli.azure.cli.core: batchai 0.004 10 30 cli.azure.cli.core: billing 0.020 19 53 cli.azure.cli.core: botservice 0.004 12 42 cli.azure.cli.core: cdn 0.155 8 49 cli.azure.cli.core: cloud 0.003 1 7 cli.azure.cli.core: cognitiveservices 0.003 10 33 cli.azure.cli.core: compute_recommender 0.006 1 1 cli.azure.cli.core: config 0.002 2 7 cli.azure.cli.core: configure 0.002 2 5 cli.azure.cli.core: consumption 0.026 8 9 cli.azure.cli.core: container 0.016 1 11 cli.azure.cli.core: containerapp 0.176 36 115 cli.azure.cli.core: cosmosdb 0.017 58 199 cli.azure.cli.core: databoxedge 0.013 5 28 cli.azure.cli.core: dla 0.004 23 62 cli.azure.cli.core: dls 0.004 7 41 cli.azure.cli.core: dms 0.003 3 22 cli.azure.cli.core: eventgrid 0.005 25 96 cli.azure.cli.core: eventhubs 0.018 13 19 cli.azure.cli.core: extension 0.002 1 7 cli.azure.cli.core: feedback 0.001 1 2 cli.azure.cli.core: find 0.002 1 1 cli.azure.cli.core: hdinsight 0.010 8 39 cli.azure.cli.core: identity 0.003 2 11 cli.azure.cli.core: interactive 0.001 1 1 cli.azure.cli.core: iot 0.160 19 82 cli.azure.cli.core: keyvault 0.008 20 113 cli.azure.cli.core: kusto 0.003 3 14 cli.azure.cli.core: lab 0.004 11 34 cli.azure.cli.core: managedservices 0.002 3 8 cli.azure.cli.core: maps 0.002 5 13 cli.azure.cli.core: marketplaceordering 0.006 1 2 cli.azure.cli.core: monitor 0.377 18 61 cli.azure.cli.core: mysql 0.153 15 51 cli.azure.cli.core: netappfiles 0.076 8 17 cli.azure.cli.core: network 0.081 103 338 cli.azure.cli.core: policyinsights 0.026 9 17 cli.azure.cli.core: privatedns 0.037 14 60 cli.azure.cli.core: profile 0.003 2 8 cli.azure.cli.core: rdbms 0.031 49 202 cli.azure.cli.core: redis 0.004 7 38 cli.azure.cli.core: relay 0.047 7 8 cli.azure.cli.core: resource 0.017 51 231 cli.azure.cli.core: role 0.003 17 61 cli.azure.cli.core: search 0.016 7 19 cli.azure.cli.core: security 0.019 48 98 cli.azure.cli.core: servicebus 0.018 12 15 cli.azure.cli.core: serviceconnector 0.024 20 307 cli.azure.cli.core: servicefabric 0.025 27 80 cli.azure.cli.core: signalr 0.004 9 34 cli.azure.cli.core: sql 0.020 56 215 cli.azure.cli.core: sqlvm 0.083 4 20 cli.azure.cli.core: storage 0.047 59 273 cli.azure.cli.core: synapse 0.015 54 246 cli.azure.cli.core: util 0.003 3 7 cli.azure.cli.core: vm 0.054 58 269 cli.azure.cli.core: Total (66) 2.326 1205 4720 cli.azure.cli.core: Loaded 1191 groups, 4720 commands. cli.azure.cli.core: Updated command index in 0.004 seconds. cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.initcommand file_logging at 0x000001E2B40AE340>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\jstewart1.a zure\commands\2024-06-28.14-02-31.unknown_command.5500.log'. az_command_data_logger: command args: --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argum ent..add_subscription_parameter at 0x000001E2B40DEA20>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<loca ls>.add_ids_arguments at 0x000001E2B413C7C0>, <function register_cache_arguments..addcache arguments at 0x000001E2B413C900>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []

Welcome to Azure CLI!

Use az -h to see available commands or go to https://aka.ms/cli.

Telemetry

The Azure CLI collects usage data in order to improve your experience. The data is anonymous and does not include commandline argument values. The data is collected by Microsoft.

You can change your telemetry settings with az configure.

 /\
/  \    _____   _ _  ___ _

/ /\ \ |_ / | | | \'/ \ / ____ \ / /| || | | | / // \\/|_,|| _|

Welcome to the cool new Azure CLI!

Use az --version to display the current version. Here are the base commands:

account             : Manage Azure subscription information.
acr                 : Manage private registries with Azure Container Registries.
ad                  : Manage Microsoft Entra ID (formerly known as Azure Active Directory, Azure
                     AD, AAD) entities needed for Azure role-based access control (Azure RBAC)
                     through Microsoft Graph API.
advisor             : Manage Azure Advisor.
afd                 : Manage Azure Front Door Standard/Premium.
aks                 : Manage Azure Kubernetes Services.
ams                 : Manage Azure Media Services resources.
apim                : Manage Azure API Management services.
appconfig           : Manage App Configurations.
appservice          : Manage App Service plans.
aro                 : Manage Azure Red Hat OpenShift clusters.
backup              : Manage Azure Backups.
batch               : Manage Azure Batch.
bicep               : Bicep CLI command group.
billing             : Manage Azure Billing.
bot                 : Manage Microsoft Azure Bot Service.
cache               : Commands to manage CLI objects cached using the `--defer` argument.
capacity            : Manage capacity.
cdn                 : Manage Azure Content Delivery Networks (CDNs).
cloud               : Manage registered Azure clouds.
cognitiveservices   : Manage Azure Cognitive Services accounts.
compute-recommender : Manage sku/zone/region recommender info for compute resources.
config              : Manage Azure CLI configuration.
configure           : Manage Azure CLI configuration. This command is interactive.
connection          : Commands to manage Service Connector local connections which allow local
                     environment to connect Azure Resource. If you want to manage connection for
                     compute service, please run 'az webapp/containerapp/spring connection'.
consumption         : Manage consumption of Azure resources.
container           : Manage Azure Container Instances.
containerapp        : Manage Azure Container Apps.
cosmosdb            : Manage Azure Cosmos DB database accounts.
databoxedge         : Manage device with databoxedge.
deployment          : Manage Azure Resource Manager template deployment at subscription scope.
deployment-scripts  : Manage deployment scripts at subscription or resource group scope.
disk                : Manage Azure Managed Disks.
disk-access         : Manage disk access resources.
disk-encryption-set : Disk Encryption Set resource.
dla                 : Manage Data Lake Analytics accounts, jobs, and catalogs.
dls                 : Manage Data Lake Store accounts and filesystems.
dms                 : Manage Azure Data Migration Service (classic) instances.
eventgrid           : Manage Azure Event Grid topics, domains, domain topics, system topics
                     partner topics, event subscriptions, system topic event subscriptions and
                     partner topic event subscriptions.
eventhubs           : Eventhubs.
extension           : Manage and update CLI extensions.
feature             : Manage resource provider features.
feedback            : Send feedback to the Azure CLI Team.
find                : I'm an AI robot, my advice is based on our Azure documentation as well as
                     the usage patterns of Azure CLI and Azure ARM users. Using me improves
                     Azure products and documentation.
functionapp         : Manage function apps. To install the Azure Functions Core tools see
                     https://github.com/Azure/azure-functions-core-tools.
group               : Manage resource groups and template deployments.
hdinsight           : Manage HDInsight resources.
identity            : Managed Identities.
image               : Manage custom virtual machine images.
interactive         : Start interactive mode. Installs the Interactive extension if not
                     installed already.
iot                 : Manage Internet of Things (IoT) assets.
keyvault            : Manage KeyVault keys, secrets, and certificates.
kusto               : Manage Azure Kusto resources.
lab                 : Manage Azure DevTest Labs.
lock                : Manage Azure locks.
logicapp            : Manage logic apps.
login               : Log in to Azure.
logout              : Log out to remove access to Azure subscriptions.
managed-cassandra   : Azure Managed Cassandra.
managedapp          : Manage template solutions provided and maintained by Independent Software
                     Vendors (ISVs).
managedservices     : Manage the registration assignments and definitions in Azure.
maps                : Manage Azure Maps.
mariadb             : Manage Azure Database for MariaDB servers.
monitor             : Manage the Azure Monitor Service.
mysql               : Manage Azure Database for MySQL servers.
netappfiles         : Manage Azure NetApp Files (ANF) Resources.
network             : Manage Azure Network resources.
policy              : Manage resource policies.
postgres            : Manage Azure Database for PostgreSQL servers.
ppg                 : Manage Proximity Placement Groups.
private-link        : Private-link association CLI command group.
provider            : Manage resource providers.
redis               : Manage dedicated Redis caches for your Azure applications.
relay               : Manage Azure Relay Service namespaces, WCF relays, hybrid connections, and
                     rules.
resource            : Manage Azure resources.
resourcemanagement  : Resourcemanagement CLI command group.
rest                : Invoke a custom request.
restore-point       : Manage restore point with res.
role                : Manage Azure role-based access control (Azure RBAC).
search              : Manage Azure Search services, admin keys and query keys.
security            : Manage your security posture with Microsoft Defender for Cloud.
servicebus          : Servicebus.
sf                  : Manage and administer Azure Service Fabric clusters.
sig                 : Manage shared image gallery.
signalr             : Manage Azure SignalR Service.
snapshot            : Manage point-in-time copies of managed disks, native blobs, or other
                     snapshots.
sql                 : Manage Azure SQL Databases and Data Warehouses.
sshkey              : Manage ssh public key with vm.
stack               : A deployment stack is a native Azure resource type that enables you to
                     perform operations on a resource collection as an atomic unit.
staticwebapp        : Manage static apps.
storage             : Manage Azure Cloud Storage resources.
survey              : Take Azure CLI survey.
synapse             : Manage and operate Synapse Workspace, Spark Pool, SQL Pool.
tag                 : Tag Management on a resource.
term                : Manage marketplace agreement with marketplaceordering.
ts                  : Manage template specs at subscription or resource group scope.
upgrade             : Upgrade Azure CLI and extensions.
version             : Show the versions of Azure CLI modules and extensions in JSON format by
                     default or format configured by --output.
vm                  : Manage Linux or Windows virtual machines.
vmss                : Manage groupings of virtual machines in an Azure Virtual Machine Scale Set
                     (VMSS).
webapp              : Manage web apps.

cli.knack.cli: Event: Cli.SuccessfulExecute [] cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x00000 1E2B40AE5C0>] az_command_data_logger: exit code: 0 cli.main: Command ran in 3.002 seconds (init: 0.526, invoke: 2.476) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3495 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C :\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry__init__.pyc C:\User s\jstewart1.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.

Expected behavior

ADAL package should not be isntalled

Environment Summary

$ az version { "azure-cli": "2.61.0", "azure-cli-core": "2.61.0", "azure-cli-telemetry": "1.1.0", "extensions": {} }

Additional context

Having an EOL package installed with the distribution introduces vulnerabilities into the environment as that package can still be referenced. This package has been EOL since December 2022

Please remove the EOL package. If, for some reason, you feel that you need to make this library available I would recommend that you put it in a separate package (e.g. az-cli-deprecated )

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service[bot]]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

[ADBjester]

I note that MSAL has been used since CLI v2.30.0:

https://learn.microsoft.com/en-us/cli/azure/release-notes-azure-cli#november-02-2021

Since ADAL hasn't been used for authentication in the CLI since 2021, it seems safe to remove the python ADAL package entirely.

[microsoft-github-policy-service[bot]]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @adamedx.

[microsoft-github-policy-service[bot]]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

[jiasli]

There was an attempt https://github.com/Azure/azure-cli/pull/28105 to migrate AD Graph to Microsoft Graph for service-owned modules, but that PR was suspended due to other high priority tasks.

[virtualjack]

Does the fact that Microsoft is installing a vulnerable library change the priority?