Critical vulnerabilities in v4.1.3

[roklenardic]

Hi,

when starting a fresh new functions projects and then running the following:

...a surprising dependency with critical vulnerability is shown. Isn't that a bit irresponsible to have System.Text.Encodings.Web v4.5.0 still referenced within the latest Azure Functions v4.1.3 package?

[bhagyshricompany]

Thanks for your update.

[bhagyshricompany]

I checked the same yes this seems. will work on this. and update

[jeffpuckett]

Any updates on this?

[bhagyshricompany]

@fabiocav pls comment.

[jeffpuckett]

@bhagyshricompany @fabiocav Hi there. It's kind of embarrassing that any azure function we build in a docker file gets marked with a 9.8 CVE. Any update here?

[FrankBurmo]

Microsoft.Azure.WebJobs.Extensions.Http has had this vulnerability for a long time: https://github.com/Azure/azure-webjobs-sdk-extensions/issues/760 https://github.com/Azure/azure-functions-vs-build-sdk/issues/550

Sadly, fixing critical CVEs does not seem to be a priority.

The reference to Microsoft.AspNetCore.Http:2.2.2 has to be removed from here: https://github.com/Azure/azure-webjobs-sdk-extensions/blob/dev/src/WebJobs.Extensions.Http/WebJobs.Extensions.Http.csproj ... and then refactor impacted code.

[bhagyshricompany]

@fabiocav pls comment

[jpuckettgomeyra]

NuGet now needs to be updated from 5.11.3 to 5.11.5. https://github.com/NuGet/Home/issues/12653

[fabiocav]

Although those are the project references, those are not the dependencies your application runs on. The host (and Core Tools) are serviced components, deployed frequently and always patched, so although those do get flagged, those are not vulnerabilities for apps running on Functions.

We realize this causes issues with validation and compliance checks and have addressed some the warnings from package dependencies in the chain. Please ensure you're referencing latest.

Flagging to have this reviewed, but as stated, the remaining items (System.Net.Http, System.Text.Encodings.Web and System.Text.RegularExpressions) are runtime dependencies and unified by the host.

[jeffpuckett]

I’m confused. The issue I am having is Microsoft defender flags the entire container as having vulnerabilities due to the dependencies of the host, not the application. Microsoft needs to update these

[Havunen]

We should just remove those old binaries when targeting modern (.NET) applications.... This is related: https://github.com/Azure/azure-webjobs-sdk-extensions/issues/855

[Ramanean]

@fabiocav Suppose if we are using a package A with version "5.1" and if the runtime uses "5.2" then the application would be only using 5.2 version rather 5.1.. Can you confirm on this?

[adamscarlat]

Are there any updates on this issue? We're currently on version 4.2.0 of the SDK and failing vulnerability scanning for the reasons mentioned in the ticket.

[Havunen]

I opened a PR: https://github.com/Azure/azure-webjobs-sdk-extensions/pull/862 but the tests are failing to some connection string related stuff?

[adamscarlat]

@Havunen, just checked the pipeline that's failing on your PR. I am almost certain it's not related to your code changes. Seems like it doesn't have access to a key-vault:

"References service endpoint. PRs from repository forks are not allowed to access secrets in the pipeline"

Any idea what to do here?

[steve-torchia]

@fabiocav - just to clarify. Regarding your comment:

Although those are the project references, those are not the dependencies your application runs on. The host (and Core Tools) are serviced components, deployed frequently and always patched, so although those do get flagged, those are not vulnerabilities for apps running on Functions.

Given my project's dependency is on Microsoft.NET.Sdk.Functions@4.2.0 and it, in turn, transitively depends on System.Net.Http@4.3.0 (see screenshot) When I deploy my (in process) function app to Azure Function runtime ~4 Then You state that the deployed function will use a different/newer version of System.Net.Http? How can we see the version used during runtime in this instance? For me to sign off that a vulnerability found in a project isn't really a problem because it's "patched" on the runtime, I need some proof 😃

Thanks, Steve

[Havunen]

For any future readers: The recommended way now is to migrate to dotnet-isolated function apps, then you can remove Microsoft.Net.SDK.Functions reference.

https://azure.microsoft.com/en-us/updates/ga-azure-functions-supports-net-8-in-the-isolated-worker-model/ https://learn.microsoft.com/en-us/azure/azure-functions/dotnet-isolated-process-guide

[patelriki13]

Hi @fabiocav

As the issue is assigned as P1 and is almost 1 year near completion, is there any progress on this issue?

[patelriki13]

For any future readers: The recommended way now is to migrate to dotnet-isolated function apps, then you can remove Microsoft.Net.SDK.Functions reference.

https://azure.microsoft.com/en-us/updates/ga-azure-functions-supports-net-8-in-the-isolated-worker-model/ https://learn.microsoft.com/en-us/azure/azure-functions/dotnet-isolated-process-guide

Hi @Havunen So, that means the in-process function is going to be deprecated?

[Havunen]

Well I dont work for Microsoft so I cannot answer that, but migrating to dotnet-isolated mitigates this vulnerability as Microsoft.Net.SDK.Functions is not supported there and instead it uses new Microsoft.Azure.Functions.* assemblies.

https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Sdk/#dependencies-body-tab https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Http

Etc.

[Ramanean]

I believe the runtime is using latest versions of these packages so even though if we use outdated packages, it won't affect our application as the runtime has latest versions of these..

Only @fabiocav can say whether my understanding is correct or not

[fabiocav]

I believe the runtime is using latest versions of these packages so even though if use outdated packages, it won't affect your application as the runtime has latest versions of these..

This is accurate for the dependencies referenced by the SDK. The unification will ensure versions referenced by the host are used.

We have also just released an update to the package with add CVE dependencies updated. So this issue should be resolved.