marlenkassym
commented
2 weeks ago I have the same issue now in dotnet SDK version 8.0.110 detected by Defender for Cloud.
CVE-2024-38095 Evidence /usr/lib/dotnet/sdk/8.0.110/DotnetTools/dotnet-user-jwts/8.0.10-servicing.24468.4/tools/net8.0/any/dotnet-user-jwts.deps.json
Vendor: system.formats.asn1 Installed version: 5.0.0.0
Describe the bug
According to the 8.0.7 release notes, CVE-2024-38095 is remediated in this release. However, when building an Ubuntu 22.04 container with the latest 8.0.7 release and pushing it to Azure Container Registry, Defender for Containers still sees CVE-2024-38095 as a vulnerability.
{ "assessedResourceType": "AzureContainerRegistryVulnerability", "cveDescriptionAdditionalInformation": "Microsoft has released a security advisory (CVE-2024-38095) providing detailed information about this vulnerability, including affected software versions, mitigation factors, and affected packages. Developers are encouraged to review the advisory for guidance on updating their applications and removing the vulnerability. Microsoft also offers a bounty program for reporting potential security issues in .NET 8.0 and .NET 6.0. [Generated by AI]", "vulnerabilityDetails": { "severity": "High", "exploitabilityAssessment": { "exploitStepsPublished": false, "exploitStepsVerified": false, "isInExploitKit": false, "exploitUris": [], "types": [ "Remote" ] }, "lastModifiedDate": "2024-07-11T00:00:00Z", "publishedDate": "2024-07-08T16:00:00Z", "workarounds": [], "references": [ { "title": "CVE-2024-38095", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38095" }, { "title": "295754", "link": "https://exchange.xforce.ibmcloud.com/vulnerabilities/295754" }, { "title": "July 2024 Security Updates", "link": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-38095" }, { "title": "CVE-2024-38095_oval:com.oracle.elsa:def:20244438", "link": "https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2" }, { "title": "CVE-2024-38095_oval:com.redhat.rhsa:def:20244439", "link": "https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9-including-unpatched.oval.xml.bz2" }, { "title": "CVE-2024-38095_oval:com.ubuntu.jammy:def:68891000000", "link": "https://security-metadata.canonical.com/oval/com.ubuntu.jammy.usn.oval.xml.bz2" }, { "title": "Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability", "link": "https://github.com/advisories/GHSA-447r-wph3-92pm" } ], "weaknesses": { "cwe": [ { "id": "CWE-20" }, { "id": "CWE-404" } ] }, "cveId": "CVE-2024-38095", "cvss": { "2.0": null, "3.0": { "cvssVectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C", "base": 7.5 } }, "cpe": { "language": "*", "version": "*", "softwareEdition": "*", "targetHardware": "*", "vendor": "system.formats.asn1", "targetSoftware": "dotnet", "product": "system.formats.asn1", "edition": "*", "update": "*", "other": "*", "part": "Applications", "uri": "cpe:2.3:a:system.formats.asn1:system.formats.asn1:*:*:*:*:*:dotnet:*:*" } }, "softwareDetails": { "category": "Language", "language": "dotnet", "version": "5.0.0.0", "vendor": "system.formats.asn1", "fixedVersion": "6.0.1", "packageName": "system.formats.asn1", "fixStatus": "FixAvailable", "osDetails": { "osPlatform": "linux", "osVersion": "ubuntu_linux_22.04" }, "evidence": [] }, "artifactDetails": { "lastPushedToRegistryUTC": "2024-07-25T00:00:00Z", "repositoryName": "vanilla2", "artifactType": "ContainerImage", "registryHost": "joscot.azurecr.us", "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "digest": "sha256:d08b531f36b18a352e2d9062d81b88ed1d37d2a5872a17cf669a5fc8d1bf0690", "tags": [ "latest" ] }, "cvssV30Score": 7.5 }https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38095
To Reproduce
push a dockerfile to Azure Container Registry with the following steps
FROM ubuntu:22.04 RUN apt-get update && apt-get install -y dotnet-sdk-8.0Let Defender for Containers scan the image and observe findings.
Exceptions (if any)
Further technical details
dotnet --info