0

When building and deploying Azure Container Apps (ACA), the images specified in the dockerfile (or the base debian OS image that Microsoft uses) seem to carry security issues for periods of time. As an example, given:

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src

# trimmed for brevity...

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "myapp.dll"]

Microsoft Defender for Cloud marks the image in the registry with a high vulnerability even though it looks like the update was accepted into the stable-security branch on 5/31/23.

Defender marks an image I built yesterday (with the above dockerfile) as still having this vulnerability. So my question is, How often and/or when does Azure update base images for ACA to resolve such security vulnerabilities?

UPDATE - It looks like Microsoft have not yet incorporated an updated debian image into their base.

DockerDesktop Image Vulnerabilities

pseabury
  • 1,615
  • 3
  • 16
  • 30
  • 1
    Azure does not update the base images in your container registry by default but you can create an ACR Task for that: [About base image updates for ACR Tasks](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tasks-base-images) – Thomas Jun 12 '23 at 02:00
  • Thanks for the link to that document @Thomas. I think it's true for manually managed containers like ACI or AKS, but for ACA (containers as a service) the point is to manage this for you. I know that existing images won't be updated, but new deployments should use updated linux base images I think. – pseabury Jun 12 '23 at 13:01
  • 1
    you mean when you rebuild the image before deploying? – Thomas Jun 12 '23 at 15:09
  • Yes, but my base is https://hub.docker.com/_/microsoft-dotnet-aspnet. Their policy says "We update the supported .NET images within 12 hours of any updates to their base images (e.g. debian:buster-slim, windows/nanoserver:ltsc2022, buildpack-deps:bionic-scm, etc.)." but they clearly have not yet updated them since 05/23/23. Also see my update above. – pseabury Jun 12 '23 at 15:51
  • is the vulnerability detected only on old images or even on new images ? – Thomas Jun 12 '23 at 19:35
  • Just rebuilt with current image - still the openssl vulnerability from 5/31/23. My only takeaway can be that the debian base image of 11-slim hasn't yet incorporated the openssl & libssl pacakges from 1.1.1n-0+deb11u4 to 1.1.1n-0+deb11u5. – pseabury Jun 12 '23 at 20:07

0 Answers0