337 vulnerabilities in 4-dotnet-isolated8.0 (1 C, 231 H) #1185
Comments
|
It has now been clearly over a month since the last update. Any news? |
|
Note that the base image dotnet 8.0.10 doesn't have those vulnerabilities (anymore). It seems like the rebuild/patching of upstream images is not happening correctly? I think this issue can be linked to #1177 and #1178 as well. The wiki documentation (https://github.com/Azure/azure-functions-docker/wiki/Functions-image-release-process) specifically claims that patches from upstream are patched within 2 weeks!
|
|
Feedback from Microsoft via a ticket was that "deployment has been deferred to January 6th" due to the holiday season. |
|
I honestly don't understand what's going on but a new image was added on 2024-12-11 and it doesn't contain these vulnerabilities anymore. |
Someone ran the "Refresh" workflow (https://github.com/Azure/azure-functions-docker/actions/runs/12252082156) which created a nw refresh branch (https://github.com/Azure/azure-functions-docker/tree/refresh/4.36.1.2-refresh), which on its turn probably created a pipeline somewhere to update the images. |
Azure Defender for Cloud reports a total of 337 vulnerabilities in the latest 4-dotnet-isolated8.0 image, including 1 critical vulnerability (
CVE-2024-47685). I think all of them are OS vulnerabilities. It reports that a fix is available by updating to debian 6.1.115-1 from 6.1.112-1.
It says in the Azure Functions documentation that updates come monthly but don't you think that's a bit too slow for critical vulnerabilities (and such a big pile of high-severity ones)? Last update was on 2024-10-31 but the vulnerabilities were published on 2024-10-21.
Incomplete list of vulnerabilities:
Critical:
CVE-2024-47685
High:
CVE-2024-8805
CVE-2024-53082
CVE-2024-53061
CVE-2024-53057
CVE-2024-53042
CVE-2024-50302
CVE-2024-50301
CVE-2024-50286
CVE-2024-50283
...
The text was updated successfully, but these errors were encountered: