search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.22k stars 3.83k forks source link

AZ module 11.1.0 is vulnerable to CVE-2021-26701 #23669

Open Abdulthetechguy opened 10 months ago

Abdulthetechguy commented 10 months ago

Description

We cannot add AZ module to our buildagent because it is vulnerable to CVE-2021-26701. It has to do with this package system.text.encodings.web version 4.6.0 but fixed in version 4.7.2 and above. pwsh

adding this link for more context https://github.com/dotnet/runtime/issues/49377

PowerShell Version: 7.3.6

Install PowerShell

RUN wget https://github.com/PowerShell/PowerShell/releases/download/v7.3.6/powershell_7.3.6-1.deb_amd64.deb RUN dpkg -i powershell_7.3.6-1.deb_amd64.deb RUN rm -f powershell_7.3.6-1.deb_amd64.deb

AZ Version: 11.1.0 RUN pwsh -c "Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted" RUN pwsh -c "Install-Module -Name Az -RequiredVersion 11.1.0 -Scope AllUsers"

Base Image ubuntu:20.04

Issue script & Debug output

Scan result attached to the description section

Environment data

powershell version is 7.3.6

Module versions

az module version is 11.1.0

Error output

No response

msJinLei commented 10 months ago

@Abdulthetechguy We no longer depend on system.text.encodings.web 4.6.0 https://github.com/Azure/azure-powershell/blob/main/src/lib/netfx/System.Text.Encodings.Web.dll. I would like to know how you get the vulnerability alert?

Abdulthetechguy commented 10 months ago

@Abdulthetechguy We no longer depend on system.text.encodings.web 4.6.0 https://github.com/Azure/azure-powershell/blob/main/src/lib/netfx/System.Text.Encodings.Web.dll. I would like to know how you get the vulnerability alert?

This happens when you install AZ module from the PSGallery and don't use Powershell as your base image that comes with AZ module preinstalled . The code below will generate the vulnerability alert both in Prisma cloud and Azure cloud defneder

` FROM ubuntu:20.04 RUN wget https://github.com/PowerShell/PowerShell/releases/download/v7.3.6/powershell_7.3.6-1.deb_amd64.deb RUN dpkg -i powershell_7.3.6-1.deb_amd64.deb RUN rm -f powershell_7.3.6-1.deb_amd64.deb

AZ Version: 11.1.0 RUN pwsh -c "Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted" RUN pwsh -c "Install-Module -Name Az -RequiredVersion 11.1.0 -Scope AllUsers"`

isra-fel commented 9 months ago

Thanks for the info @Abdulthetechguy . Could you also share some details about the issue? We are particularly interested in the path to the "vulnerable" assembly, because we are pretty sure the system.text.encodings.web we ship is 4.7.2.

@msJinLei please also try that on our end.

mpowrie commented 8 months ago

This CVE vulnerability is still in AZ module 11.3.0. Tested on a Ubuntu 22.04 base image with Powershell 7.4.1 Test Dockerfile to demonstrate the issue:

# Build command: docker build --tag test-powershell-az-cve:latest .
# run command: docker run -it --rm test-powershell-az-cve:latest
#   check Powershell version: $psversiontable.PSVersion
#   Check Powershell az module: Get-InstalledModule -Name Az
FROM ubuntu:22.04
RUN apt-get update && \
    apt-get install -y lsb-release wget
RUN wget -q "https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb" && \
    dpkg -i packages-microsoft-prod.deb && \
    apt-get update && apt-get install -y powershell
RUN pwsh -command Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted && \
    pwsh -command Install-Module -Name Az -Force
ENTRYPOINT ["/usr/bin/pwsh"]
msJinLei commented 8 months ago

Will check it later