Latest image 'mcr.microsoft.com/dotnet/aspnet:8.0' still has the HIGH vulnerability CVE-2023-50387

[klingu]

Hi...,

I build an application based on the image 'mcr.microsoft.com/dotnet/aspnet:8.0'. When I shipped it to the company who hosts this container, they scanned the image with a 'High' vulnerability.

In the image of Microsoft 'mcr.microsoft.com/dotnet/aspnet:8.0' is a high vulnerability. The image is based on a Debian Bookworm distribution. The vulnerability is in the 'systemd', version: 252.22-1~deb12u1 There is a fix of this package in version: 255.4-1

Is there a fix coming soon? Or is there a way how I can fix this myself?
If so, how do I start the 'mcr.microsoft.com/dotnet/aspnet:8.0' image and install the newer systemd package.

What I've tried and did not help or solved the vulnerability:

• in the docker file: RUN apt-get update -yy && apt-get upgrade -yy
• in the docker file: apt-get install systemd=255.4-1+b1 (because this version is not in the package list)
• wget is not available in the docker file and not in the running container.
• curl is not available in the docker file and not in the running container.

Thanks in advance for you help.

Jeffrey

[mthalman]

.NET relies on the Linux distro maintainers to update their packages. The fixed package version is not yet available for Bookworm, as indicated in CVE-2023-50387:

We can make no recommendation of other solutions. As I mentioned, we rely on the distro maintainers here as they have a process to ensure correctness and compatibility when integrating new package versions into each distro version.

You may want to explore other distros we provide like Alpine or our Ubuntu Chiseled images which have a lower attack surface due to their smaller set of packages installed.

[klingu]

With the Alpine image (mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.18-amd64 AS base) I run into an other issue: I can not create a Non-Root-user like:

ARG USERNAME=me-myself-and-I
ARG USER_UID=xxxx
ARG USER_GID=xxxx

RUN groupadd --gid $USER_GID $USERNAME \
    && useradd --uid $USER_UID --gid $USER_GID -M $USERNAME

So I ended up with the Ubuntu image: mcr.microsoft.com/dotnet/aspnet:8.0-jammy-amd64 AS base

This solved my issue.

Thanks for the pointing out!

[richlander]

You know that all .NET 8 images contain a non-root user?

https://devblogs.microsoft.com/dotnet/securing-containers-with-rootless/

FYI: The UID has changed (to 1654) since that post. I need to update the post.

[richlander]

You can install curl or wget if you need those tools. However, the package you referenced is from sid. Installing it on bookworm is not supported and has undefined behavior.

[klingu]

The Debian download site says: Download Page for systemd-resolved_255.4-1+b1_amd64.deb on AMD64 machines

But this is probably a kind of misleading ;-)

Thanks for your quick reply!

[richlander]

Respectfully, It's not misleading. You are on a sid page, which is indicated in multiple places (in the URL and the page).