Open Abdulthetechguy opened 10 months ago
@Abdulthetechguy We no longer depend on system.text.encodings.web 4.6.0 https://github.com/Azure/azure-powershell/blob/main/src/lib/netfx/System.Text.Encodings.Web.dll. I would like to know how you get the vulnerability alert?
@Abdulthetechguy We no longer depend on system.text.encodings.web 4.6.0 https://github.com/Azure/azure-powershell/blob/main/src/lib/netfx/System.Text.Encodings.Web.dll. I would like to know how you get the vulnerability alert?
This happens when you install AZ module from the PSGallery and don't use Powershell as your base image that comes with AZ module preinstalled . The code below will generate the vulnerability alert both in Prisma cloud and Azure cloud defneder
` FROM ubuntu:20.04 RUN wget https://github.com/PowerShell/PowerShell/releases/download/v7.3.6/powershell_7.3.6-1.deb_amd64.deb RUN dpkg -i powershell_7.3.6-1.deb_amd64.deb RUN rm -f powershell_7.3.6-1.deb_amd64.deb
AZ Version: 11.1.0 RUN pwsh -c "Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted" RUN pwsh -c "Install-Module -Name Az -RequiredVersion 11.1.0 -Scope AllUsers"`
Thanks for the info @Abdulthetechguy . Could you also share some details about the issue? We are particularly interested in the path to the "vulnerable" assembly, because we are pretty sure the system.text.encodings.web we ship is 4.7.2.
@msJinLei please also try that on our end.
This CVE vulnerability is still in AZ module 11.3.0. Tested on a Ubuntu 22.04 base image with Powershell 7.4.1
Test Dockerfile
to demonstrate the issue:
# Build command: docker build --tag test-powershell-az-cve:latest .
# run command: docker run -it --rm test-powershell-az-cve:latest
# check Powershell version: $psversiontable.PSVersion
# Check Powershell az module: Get-InstalledModule -Name Az
FROM ubuntu:22.04
RUN apt-get update && \
apt-get install -y lsb-release wget
RUN wget -q "https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb" && \
dpkg -i packages-microsoft-prod.deb && \
apt-get update && apt-get install -y powershell
RUN pwsh -command Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted && \
pwsh -command Install-Module -Name Az -Force
ENTRYPOINT ["/usr/bin/pwsh"]
Will check it later
Description
We cannot add AZ module to our buildagent because it is vulnerable to CVE-2021-26701. It has to do with this package system.text.encodings.web version 4.6.0 but fixed in version 4.7.2 and above.
adding this link for more context https://github.com/dotnet/runtime/issues/49377
PowerShell Version: 7.3.6
Install PowerShell
RUN wget https://github.com/PowerShell/PowerShell/releases/download/v7.3.6/powershell_7.3.6-1.deb_amd64.deb RUN dpkg -i powershell_7.3.6-1.deb_amd64.deb RUN rm -f powershell_7.3.6-1.deb_amd64.deb
AZ Version: 11.1.0 RUN pwsh -c "Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted" RUN pwsh -c "Install-Module -Name Az -RequiredVersion 11.1.0 -Scope AllUsers"
Base Image ubuntu:20.04
Issue script & Debug output
Environment data
Module versions
Error output
No response