CVE-2021-43045 and CVE-2019-0564 in dotnet:4.9.1 image

[TripleBrass]

Hello, we recently started scanning our images with aqua and there are 2 CVEs being detected in the dotnet:4.9.1 image (and presumably, nearly all 4.x.x images - I tried many of them).

CVE-2021-43045 Apache.Avro in: /FuncExtensionBundles/Microsoft.Azure.Functions.ExtensionBundle/2.15.0/bin /FuncExtensionBundles/Microsoft.Azure.Functions.ExtensionBundle/3.13.0/bin /FuncExtensionBundles/Microsoft.Azure.Functions.ExtensionBundle/2.15.0/bin_v3/linux-x64 /FuncExtensionBundles/Microsoft.Azure.Functions.ExtensionBundle/3.13.0/bin_v3/linux-x64

CVE-2019-0564 System.Net.WebSockets.WebSocketProtocol in: /FuncExtensionBundles/Microsoft.Azure.Functions.ExtensionBundle/2.15.0/bin /FuncExtensionBundles/Microsoft.Azure.Functions.ExtensionBundle/2.15.0/bin_v3/linux-x64

Aqua recommends to simply update the nuget packages, but I'm not quite sure how I would do that with the included Function Extension Bundles in the image. Any advice is appreciated.

[skibish]

Want to add that facing similar issue with node:4-node16 image. Also curious to know how to update nuget packages in them

[abl-jakev]

Also causing Aqua scans to fail for us. This issue has been open since August and we've brought it up with MSRC on our side as well. Has anyone heard anything?