[Eng]: Container Registry vulnerabilities showing in Microsoft Defender even after building the docker image from latest

[RameshSharmaGithub]

Description

Steps to reproduce

Container Registry vulnerabilities showing in Microsoft Defender Recommendations.

After building the docker image from latest docker pull mcr.microsoft.com/powershell

We found vulnerabilities are still showing. Attaching a screenshot for the same.

Expected behavior

Container Registry vulnerabilities should not be showing in Microsoft Defender Recommendations, after building from the latest.

Actual behavior

Container Registry vulnerabilities are showing in Microsoft Defender Recommendations.

After building the docker image from latest 
docker pull mcr.microsoft.com/powershell

We found vulnerabilities are still showing. Attaching a screenshot for the same.

Error details

Attached screenshot for the vulnerabilities.

Environment data

Attached screenshot for the vulnerabilities.

Visuals

[tiagofu-ms]

Hi,

Just adding more details about this. Vulnerabilities are raised by Microsoft Defender over ACR when a container image is based on 'azure-powershell' image. I tested this by pushing to my ACR “powershell:ubuntu-20.04”, “azure-powershell” and a custom image that uses the last one as base, only the last two were marked with vulnerabilities listed above.

Seems there are vulnerabilities from packages added on 'azure-powershell' image.

Please check this and let know when this could be mitigatted.

Thank you.

[isra-fel]

Thanks for reporting @RameshSharmaGithub . While we are investigating, could you share the details of the vulnerabilities?

[RameshSharmaGithub]

Hi @isra-fel

The screenshots of the high vulnerabilties is uploaded.

Please find below the description of each one:-

1) Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS). The serialization and deserialization path have different properties regarding the issue. Deserializing methods (like JsonConvert.DeserializeObject) will process the input that results in burning the CPU, allocating memory, and consuming a thread of execution. Quite high nesting level (>10kk, or 9.5MB of {a:{a:{... input) is needed to achieve the latency over 10 seconds, depending on the hardware. Serializing methods (like JsonConvert.Serialize or JObject.ToString) will throw StackOverFlow exception with the nesting level of around 20k. To mitigate the issue one either need to update Newtonsoft.Json to 13.0.1 or set MaxDepth parameter in the JsonSerializerSettings. This can be done globally with the following statement. After that the parsing of the nested input will fail fast with Newtonsoft.Json.JsonReaderException: JsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 }; Repro code: //Create a string representation of an highly nested object (JSON serialized) int nRep = 25000; string json = string.Concat(Enumerable.Repeat("{a:", nRep)) + "1" + string.Concat(Enumerable.Repeat("}", nRep)); //Parse this object (leads to high CPU/RAM consumption) var parsedJson = JsonConvert.DeserializeObject(json); // Methods below all throw stack overflow with nRep around 20k and higher // string a = parsedJson.ToString(); // string b = JsonConvert.SerializeObject(parsedJson); Note the original statement about the problem only affecting IIS applications is misleading. Any application is affected, however the IIS has a behavior that stops restarting the instance after some time resulting in a harder-to-fix DoS.

2) An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Let me know if anything more is required from our end.

[RameshSharmaGithub]

Is there any update @isra-fel