question

antgonmir avatar image
0 Votes"
antgonmir asked MayankBargali-MSFT commented

High Severity Security Vulnerabilities in Azure Functions Docker Image

We have built a Docker container image for a Linux Azure Function App running Python 3.7 using the instructions provided in:

Create a function on Linux using a custom container


Our Dockerfile is just:

 FROM mcr.microsoft.com/azure-functions/python:3.0-python3.7
    
 ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
     AzureFunctionsJobHost__Logging__Console__IsEnabled=true
    
 COPY requirements.txt /
 RUN pip install -r /requirements.txt
    
 COPY . /home/site/wwwroot

We uploaded our Docker image to JFrog Artifactory and had it scanned with XRay. The results reported over 35 critical security vulnerabilities, all of which are related to the debian:buster:linux:4.19.98-1 packages.

8442-docker-azurefunctioncustom-117176-violations-expor.txt



Are these false positives? Safe to ignore? Or are we using the wrong (or old) base image for the Azure Function Docker image?

azure-functions
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @antgonmir - Sorry for the delay in our response. We are now actively investigating and will answer with our findings soon.

2 Votes 2 ·

We could use some details here as well. It seems all Azure Functions use Docker under the covers.

Is this anything we need to be concerned about?

0 Votes 0 ·

1 Answer

MayankBargali-MSFT avatar image
0 Votes"
MayankBargali-MSFT answered MayankBargali-MSFT commented

Hi @antgonmir

Looking into the attachment, I can see that there is an issue with CVEs mentioned in violations export file and this issue is with Debian. The underlying image that is used for functions basically has this issue.
There are many reasons for CVEs to still be shown in production images and you can read this for information: https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

If any CVEs that you think might affect you. You can track them using this link: https://security-tracker.debian.org/tracker/
Further, you can raise the issue with Debian for specific CVEs

Update:
Product group is in the middle of releasing an updated image with fixes for all the actionable Debian vulnerabilities. The expected date to be completed is next week if there are no issues.

You can rebuild your custom docker image by end of next week so you should get the updated base image.
As, some of the Debian vulnerabilities do not have patches available yet and they would remain unpatched with the new image as well.

If you have any concerns on the docker image you can always create the issue here: https://github.com/Azure/azure-functions-docker

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

But... Azure is controlling the Docker Base Image, right? We don't have control over which Docker image is spawned to host our Azure Functions do we?

Isn't this in your domain? I feel like the Azure Functions team should be tracking the CVE's associated with the Docker image they provide, not us, the serverless customer.

Am I off base here?

1 Vote 1 ·

Hi @seadude

Thanks for your response. I am reaching out to my team to confirm it and will keep you posted.

0 Votes 0 ·

Hi @seadude

The product team is working on the fix or recommendation for this issue. Will keep you posted once I have further updates.

0 Votes 0 ·
Show more comments