Open virtualjack opened 1 week ago
Thank you for opening this issue, we will look into it.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.
I note that MSAL has been used since CLI v2.30.0:
https://learn.microsoft.com/en-us/cli/azure/release-notes-azure-cli#november-02-2021
Since ADAL hasn't been used for authentication in the CLI since 2021, it seems safe to remove the python ADAL package entirely.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @adamedx.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.
There was an attempt https://github.com/Azure/azure-cli/pull/28105 to migrate AD Graph to Microsoft Graph for service-owned modules, but that PR was suspended due to other high priority tasks.
Does the fact that Microsoft is installing a vulnerable library change the priority?
Describe the bug
On Linux find /usr -name "*adal" yields /usr/lib64/az/lib/python3.9/site-packages/adal (NOTE: This package is installed by the az-cli package install)
On Windows, the find command returned the package at ./Program Files/Microsoft SDKs/Azure/CLI2/Lib/site-packages/adal
Related command
az version
Errors
End-of-Life (EOL) Software Installed Control Edit
ServiceNow Create a Ticket Run an Action Export All Issues Create Automation Give Feedback
This resource is running a version of the software that is end-of-life (EOL) which usually means that it is no longer patched for security vulnerabilities. It should be updated to a supported version, deleted, or have an approved security exception on file.
Severity Medium Scope
Risks
Related Frameworks
Generates Issues Yes Tags Status Enabled Created Feb 5, 2024, 9:40 AM Last Evaluated Jun 28, 2024, 4:11 AM
Issue script & Debug output
$ az --debug cli.knack.cli: Command arguments: ['--debug'] cli.knack.cli: init debug log: Enable color in terminal. Enable VT mode. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_argument s at 0x000001E2B107B880>, <function OutputProducer.on_global_arguments at 0x000001E2B120A0C0>, <func tion CLIQuery.on_global_arguments at 0x000001E2B1237C40>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: No module found from index for '['--debug']' cli.azure.cli.core: Loading all modules and extensions cli.azure.cli.core: Discovered command modules: ['acr', 'acs', 'advisor', 'ams', 'apim', 'appconfig' , 'appservice', 'aro', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cogni tiveservices', 'compute_recommender', 'config', 'configure', 'consumption', 'container', 'containera pp', 'cosmosdb', 'databoxedge', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedbac k', 'find', 'hdinsight', 'identity', 'interactive', 'iot', 'keyvault', 'kusto', 'lab', 'managedservi ces', 'maps', 'marketplaceordering', 'monitor', 'mysql', 'netappfiles', 'network', 'policyinsights', 'privatedns', 'profile', 'rdbms', 'redis', 'relay', 'resource', 'role', 'search', 'security', 'serv icebus', 'serviceconnector', 'servicefabric', 'signalr', 'sql', 'sqlvm', 'storage', 'synapse', 'util ', 'vm'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: acr 0.224 36 149 cli.azure.cli.core: acs 0.046 14 76 cli.azure.cli.core: advisor 0.003 3 6 cli.azure.cli.core: ams 0.005 22 100 cli.azure.cli.core: apim 0.008 14 69 cli.azure.cli.core: appconfig 0.004 9 47 cli.azure.cli.core: appservice 0.109 79 270 cli.azure.cli.core: aro 0.022 1 10 cli.azure.cli.core: backup 0.005 16 60 cli.azure.cli.core: batch 0.031 34 102 cli.azure.cli.core: batchai 0.004 10 30 cli.azure.cli.core: billing 0.020 19 53 cli.azure.cli.core: botservice 0.004 12 42 cli.azure.cli.core: cdn 0.155 8 49 cli.azure.cli.core: cloud 0.003 1 7 cli.azure.cli.core: cognitiveservices 0.003 10 33 cli.azure.cli.core: compute_recommender 0.006 1 1 cli.azure.cli.core: config 0.002 2 7 cli.azure.cli.core: configure 0.002 2 5 cli.azure.cli.core: consumption 0.026 8 9 cli.azure.cli.core: container 0.016 1 11 cli.azure.cli.core: containerapp 0.176 36 115 cli.azure.cli.core: cosmosdb 0.017 58 199 cli.azure.cli.core: databoxedge 0.013 5 28 cli.azure.cli.core: dla 0.004 23 62 cli.azure.cli.core: dls 0.004 7 41 cli.azure.cli.core: dms 0.003 3 22 cli.azure.cli.core: eventgrid 0.005 25 96 cli.azure.cli.core: eventhubs 0.018 13 19 cli.azure.cli.core: extension 0.002 1 7 cli.azure.cli.core: feedback 0.001 1 2 cli.azure.cli.core: find 0.002 1 1 cli.azure.cli.core: hdinsight 0.010 8 39 cli.azure.cli.core: identity 0.003 2 11 cli.azure.cli.core: interactive 0.001 1 1 cli.azure.cli.core: iot 0.160 19 82 cli.azure.cli.core: keyvault 0.008 20 113 cli.azure.cli.core: kusto 0.003 3 14 cli.azure.cli.core: lab 0.004 11 34 cli.azure.cli.core: managedservices 0.002 3 8 cli.azure.cli.core: maps 0.002 5 13 cli.azure.cli.core: marketplaceordering 0.006 1 2 cli.azure.cli.core: monitor 0.377 18 61 cli.azure.cli.core: mysql 0.153 15 51 cli.azure.cli.core: netappfiles 0.076 8 17 cli.azure.cli.core: network 0.081 103 338 cli.azure.cli.core: policyinsights 0.026 9 17 cli.azure.cli.core: privatedns 0.037 14 60 cli.azure.cli.core: profile 0.003 2 8 cli.azure.cli.core: rdbms 0.031 49 202 cli.azure.cli.core: redis 0.004 7 38 cli.azure.cli.core: relay 0.047 7 8 cli.azure.cli.core: resource 0.017 51 231 cli.azure.cli.core: role 0.003 17 61 cli.azure.cli.core: search 0.016 7 19 cli.azure.cli.core: security 0.019 48 98 cli.azure.cli.core: servicebus 0.018 12 15 cli.azure.cli.core: serviceconnector 0.024 20 307 cli.azure.cli.core: servicefabric 0.025 27 80 cli.azure.cli.core: signalr 0.004 9 34 cli.azure.cli.core: sql 0.020 56 215 cli.azure.cli.core: sqlvm 0.083 4 20 cli.azure.cli.core: storage 0.047 59 273 cli.azure.cli.core: synapse 0.015 54 246 cli.azure.cli.core: util 0.003 3 7 cli.azure.cli.core: vm 0.054 58 269 cli.azure.cli.core: Total (66) 2.326 1205 4720 cli.azure.cli.core: Loaded 1191 groups, 4720 commands. cli.azure.cli.core: Updated command index in 0.004 seconds. cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.initcommand file_logging at 0x000001E2B40AE340>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\jstewart1.a zure\commands\2024-06-28.14-02-31.unknown_command.5500.log'. az_command_data_logger: command args: --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argum ent..add_subscription_parameter at 0x000001E2B40DEA20>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<loca
ls>.add_ids_arguments at 0x000001E2B413C7C0>, <function register_cache_arguments..addcache
arguments at 0x000001E2B413C900>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
Welcome to Azure CLI!
Use
az -h
to see available commands or go to https://aka.ms/cli.Telemetry
The Azure CLI collects usage data in order to improve your experience. The data is anonymous and does not include commandline argument values. The data is collected by Microsoft.
You can change your telemetry settings with
az configure
./ /\ \ |_ / | | | \'/ \ / ____ \ / /| || | | | / // \\/|_,|| _|
Welcome to the cool new Azure CLI!
Use
az --version
to display the current version. Here are the base commands:cli.knack.cli: Event: Cli.SuccessfulExecute [] cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x00000 1E2B40AE5C0>] az_command_data_logger: exit code: 0 cli.main: Command ran in 3.002 seconds (init: 0.526, invoke: 2.476) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3495 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C :\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry__init__.pyc C:\User s\jstewart1.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.
Expected behavior
ADAL package should not be isntalled
Environment Summary
$ az version { "azure-cli": "2.61.0", "azure-cli-core": "2.61.0", "azure-cli-telemetry": "1.1.0", "extensions": {} }
Additional context
Having an EOL package installed with the distribution introduces vulnerabilities into the environment as that package can still be referenced. This package has been EOL since December 2022
Please remove the EOL package. If, for some reason, you feel that you need to make this library available I would recommend that you put it in a separate package (e.g. az-cli-deprecated )