CVE-2024- #42378
Description
Describe the bug
According to the 8.0.7 release notes, CVE-2024-38095 is remediated in this release. However, when building an Ubuntu 22.04 container with the latest 8.0.7 release and pushing it to Azure Container Registry, Defender for Containers still sees CVE-2024-38095 as a vulnerability.
{ "assessedResourceType": "AzureContainerRegistryVulnerability", "cveDescriptionAdditionalInformation": "Microsoft has released a security advisory (CVE-2024-38095) providing detailed information about this vulnerability, including affected software versions, mitigation factors, and affected packages. Developers are encouraged to review the advisory for guidance on updating their applications and removing the vulnerability. Microsoft also offers a bounty program for reporting potential security issues in .NET 8.0 and .NET 6.0. [Generated by AI]", "vulnerabilityDetails": { "severity": "High", "exploitabilityAssessment": { "exploitStepsPublished": false, "exploitStepsVerified": false, "isInExploitKit": false, "exploitUris": [], "types": [ "Remote" ] }, "lastModifiedDate": "2024-07-11T00:00:00Z", "publishedDate": "2024-07-08T16:00:00Z", "workarounds": [], "references": [ { "title": "CVE-2024-38095", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38095" }, { "title": "295754", "link": "https://exchange.xforce.ibmcloud.com/vulnerabilities/295754" }, { "title": "July 2024 Security Updates", "link": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-38095" }, { "title": "CVE-2024-38095_oval:com.oracle.elsa:def:20244438", "link": "https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2" }, { "title": "CVE-2024-38095_oval:com.redhat.rhsa:def:20244439", "link": "https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9-including-unpatched.oval.xml.bz2" }, { "title": "CVE-2024-38095_oval:com.ubuntu.jammy:def:68891000000", "link": "https://security-metadata.canonical.com/oval/com.ubuntu.jammy.usn.oval.xml.bz2" }, { "title": "Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability", "link": "https://github.com/advisories/GHSA-447r-wph3-92pm" } ], "weaknesses": { "cwe": [ { "id": "CWE-20" }, { "id": "CWE-404" } ] }, "cveId": "CVE-2024-38095", "cvss": { "2.0": null, "3.0": { "cvssVectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C", "base": 7.5 } }, "cpe": { "language": "*", "version": "*", "softwareEdition": "*", "targetHardware": "*", "vendor": "system.formats.asn1", "targetSoftware": "dotnet", "product": "system.formats.asn1", "edition": "*", "update": "*", "other": "*", "part": "Applications", "uri": "cpe:2.3:a:system.formats.asn1:system.formats.asn1:*:*:*:*:*:dotnet:*:*" } }, "softwareDetails": { "category": "Language", "language": "dotnet", "version": "5.0.0.0", "vendor": "system.formats.asn1", "fixedVersion": "6.0.1", "packageName": "system.formats.asn1", "fixStatus": "FixAvailable", "osDetails": { "osPlatform": "linux", "osVersion": "ubuntu_linux_22.04" }, "evidence": [] }, "artifactDetails": { "lastPushedToRegistryUTC": "2024-07-25T00:00:00Z", "repositoryName": "vanilla2", "artifactType": "ContainerImage", "registryHost": "joscot.azurecr.us", "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "digest": "sha256:d08b531f36b18a352e2d9062d81b88ed1d37d2a5872a17cf669a5fc8d1bf0690", "tags": [ "latest" ] }, "cvssV30Score": 7.5 }
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38095
To Reproduce
push a dockerfile to Azure Container Registry with the following steps
FROM ubuntu:22.04 RUN apt-get update && apt-get install -y dotnet-sdk-8.0
Let Defender for Containers scan the image and observe findings.
Exceptions (if any)
Further technical details
- Include the output of
dotnet --info - The IDE (VS / VS Code/ VS4Mac) you're running on, and its version