.Net-6 docker image from Microsoft Container Registry has vulnerabilities

@IamCoder 391 Reputation points
2024-04-17T09:59:50.9633333+00:00

Hello,

I am trying to pull .NET docker images from Microsoft Container Registry and while scanning these images I am seeing below vulnerabilities. Does any body have any suggestion to fix this please?

FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine

FROM mcr.microsoft.com/dotnet/aspnet:6.0-alpine

|High|openssl|CVE-2019-0190|Impacted versions: >=1.1.1

Discovered: less than an hour ago

Published: more than 5 years ago

A bug exists in the way mod_ssl handled client renegotiations. A remote
attacker could send a carefully crafted request that would cause mod_ssl to
enter a loop leading to a denial of service. This bug can be only triggered
with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or
later, due to an interaction in changes to handling of renegotiation
attempts.| | -------- | -------- | -------- | -------- | |High|openssl|CVE-2019-0190|Impacted versions: >=1.1.1 Discovered: less than an hour ago Published: more than 5 years ago A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.|

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
390 questions
.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,385 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. kobulloc-MSFT 23,491 Reputation points Microsoft Employee
    2024-04-17T15:38:45.7066667+00:00

    Hello, @@IamCoder !

    What should I do about a vulnerability that has been discovered in .NET docker images?

    The first thing you can do is to report a security vulnerability if you have discovered one:

    https://github.com/dotnet/dotnet-docker/issues/new/choose

    Note that not all reported vulnerabilities are actionable by the .NET Team, and the guidance is to follow the Container Vulnerability Workflow which will help guide you to the appropriate course of action when encountering reported vulnerabilities in the .NET container images.

    User's image

    I hope this has been helpful! Your feedback is important so please take a moment to accept answers.

    If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    User's image

    0 comments