Netty and Go critical Vulnerabilities in azure-functions-core-tools-3 & 4
See original GitHub issueDescribe the bug
Hello, I am creating a docker image which is using the ‘azure-functions-core-tools-3’ package. Minified Docker snippet below:
FROM ubuntu:bionic
RUN wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \
dpkg -i packages-microsoft-prod.deb && \
apt-get update -y && \
apt-get upgrade -y && \
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
azure-functions-core-tools-3 && \
apt-get clean -y && \
apt-get autoclean -y && \
rm -rf /var/lib/apt/lists/*
We are using Twistlock (Prisma) to scan our images which does in depth container scanning. It has identified the following critical CVEs in this package:
<html> <body>component | affected version | vulnerability | severity | fixed-in |
---|---|---|---|---|
io.netty_netty-codec-http | 4.1.30.Final | CVE-2019-20445 | critical | 4.1.44.final |
io.netty_netty-codec | 4.1.34.Final | CVE-2019-20445 | critical | 4.1.44 |
io.netty_netty-codec-http | 4.1.30.Final | CVE-2019-20444 | critical | 4.1.44.final |
io.netty_netty-codec | 4.1.34.Final | CVE-2019-20444 | critical | 4.1.44 |
go | 1.15.15 | CVE-2022-23806 | critical | 1.17.7, 1.16.14 |
go | 1.15.15 | CVE-2021-38297 | critical | 1.17.7, 1.16.14 |
The relevant binary paths for these are:
- /usr/lib/azure-functions-core-tools-3/workers/java/lib/netty-codec-http-4.1.30.Final.jar
- /usr/lib/azure-functions-core-tools-3/workers/java/lib/netty-codec-4.1.34.Final.jar
- /usr/lib/azure-functions-core-tools-3/gozip
I have created another image using azure-functions-core-tools-4 and Prisma found the same vulnerabilities exist in that package version too.
Can this please be investigated/remediated? Happy to help test when a hotfix becomes available.
To Reproduce
Use Twistlock or Prisma/another tool to scan the code for vulnerabilities.
Expected behavior No critical vulnerabilities when scanned
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:10 (5 by maintainers)
Top Results From Across the Web
Netty : Security Vulnerabilities
Security vulnerabilities related to Netty : List of vulnerabilities affecting any product of this vendor.
Read more >False positive vulnerabilities on `reactor-netty-core ...
The first one is that the reactor-netty packages (reactor-netty-http and reactor-netty-core) are matching the CPE of the vulnerability for ...
Read more >Known Exploited Vulnerabilities Catalog
Apache HTTP Server contains a path traversal vulnerability which allows an attacker to perform remote code execution if files outside directories configured by ......
Read more >CVE-2022-24823 Detail - NVD
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.
Read more >Oracle Critical Patch Update Advisory - July 2023
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Cheers for the swift response Michael, happy to help test 😊
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.