Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Netty and Go critical Vulnerabilities in azure-functions-core-tools-3 & 4

See original GitHub issue

Describe the bug

Hello, I am creating a docker image which is using the ‘azure-functions-core-tools-3’ package. Minified Docker snippet below:

FROM ubuntu:bionic

RUN wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \
    dpkg -i packages-microsoft-prod.deb && \
    apt-get update -y && \
    apt-get upgrade -y && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
    azure-functions-core-tools-3 && \
    apt-get clean -y && \
    apt-get autoclean -y && \
    rm -rf /var/lib/apt/lists/*

We are using Twistlock (Prisma) to scan our images which does in depth container scanning. It has identified the following critical CVEs in this package:

component	affected version	vulnerability	severity	fixed-in
io.netty_netty-codec-http	4.1.30.Final	CVE-2019-20445	critical	4.1.44.final
io.netty_netty-codec	4.1.34.Final	CVE-2019-20445	critical	4.1.44
io.netty_netty-codec-http	4.1.30.Final	CVE-2019-20444	critical	4.1.44.final
io.netty_netty-codec	4.1.34.Final	CVE-2019-20444	critical	4.1.44
go	1.15.15	CVE-2022-23806	critical	1.17.7, 1.16.14
go	1.15.15	CVE-2021-38297	critical	1.17.7, 1.16.14

The relevant binary paths for these are:

/usr/lib/azure-functions-core-tools-3/workers/java/lib/netty-codec-http-4.1.30.Final.jar
/usr/lib/azure-functions-core-tools-3/workers/java/lib/netty-codec-4.1.34.Final.jar
/usr/lib/azure-functions-core-tools-3/gozip

I have created another image using azure-functions-core-tools-4 and Prisma found the same vulnerabilities exist in that package version too.

Can this please be investigated/remediated? Happy to help test when a hotfix becomes available.

To Reproduce

Use Twistlock or Prisma/another tool to scan the code for vulnerabilities.

Expected behavior No critical vulnerabilities when scanned

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:10 (5 by maintainers)

Top GitHub Comments

1reaction

chrisc96commented, Mar 22, 2022

Cheers for the swift response Michael, happy to help test 😊

0reactions

msftbot[bot]commented, Jun 25, 2022

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

Top Results From Across the Web

Netty : Security Vulnerabilities

Security vulnerabilities related to Netty : List of vulnerabilities affecting any product of this vendor.

False positive vulnerabilities on `reactor-netty-core ...

The first one is that the reactor-netty packages (reactor-netty-http and reactor-netty-core) are matching the CPE of the vulnerability for ...

Known Exploited Vulnerabilities Catalog

Apache HTTP Server contains a path traversal vulnerability which allows an attacker to perform remote code execution if files outside directories configured by ......

CVE-2022-24823 Detail - NVD

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.

Oracle Critical Patch Update Advisory - July 2023

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third ......