microsoft / mssql-docker

Official Microsoft repository for SQL Server in Docker resources
MIT License
1.74k stars 759 forks source link

The launchpad extension has critical security vulnerabilities in the latest images #896

Open justinmchase opened 2 months ago

justinmchase commented 2 months ago

The latest image of mssql/server:2022-latest contains a file at /opt/mssql-extensibility/bin/launchpad which appears to be built with a very old version of golang and generates a large number of critical CVE's for all of your published images.

exact sha256

as of Aug 27, 2024

c1aa8afe9b06eab64c9774a4802dcd032205d1be785b1fd51e1c0151e7586b74

Details

Screenshot 2024-08-27 at 12 29 01 PM

Please rebuild the launchpad extension with a newer version of golang and publish an updated version of 2022 and 2019.


Related to

amitkh-msft commented 2 months ago

Ack. Thank you for sharing this. We will work on updating the golang package.

naman7kr commented 2 months ago

Any update on this ? is there any deadline ?

amitkh-msft commented 2 months ago

sorry for the delay, hopefully I should have a tentative timeline to share by end of next week.

granadacoder commented 1 month ago

Hi.

I am another person and team being completely paralyzed here.

When giving timeline phrases... could you use exact dates and please avoid "this week" or "next week" phrases. I'm not trying to be a jerk, but I'm getting pinged twice a day on "what is the update?". I am in a zero tolerance world now.

Thank you for your consideration.

justinmchase commented 1 month ago

@amitkh-msft I'm in the same boat. These images are being blocked by our security team and they are critical for our developers.

granadacoder commented 1 month ago

sorry for the delay, hopefully I should have a tentative timeline to share by end of next week.

(Posted 3 weeks ago)

Hi.

We are desperately looking for an update.

We are looking to shift to postgres now because of the lack of response.

I'm not trying to be nasty. I'm conveying the reality of our security department will not allow vulnerable images.

FabiKund commented 1 month ago

@amitkh-msft are there any updates on the timeline?

We have the same problem that several people have already described here: one of our products needs to use the mssql server image which contains the vulnerabilities stated above. As long as the vulnerabilities exist our security department does not allow going live with the product and blocks the usage of the image.

granadacoder commented 3 weeks ago

Hi. It's coming up on 2 MONTHS since being reported.

Please, can we get an update?

hype11 commented 2 weeks ago

Hi, I have the same problem. For our company the image is blocked by security scanners. How long will it take to fix this critical issue? regards

naman7kr commented 1 week ago

i have stopped using mssql database, thanks to @amitkh-msft