Fix vulnerabilities for Azure ACR

Question

Can someone please advise on how to fix the vulnerabilities found by Klar using Clair scanner for my Azure ACR image. I'm still new to working with containers.

Here is a sample of the result from Klar

Found in: apparmor [2.10.95-0ubuntu2.11]
Fixed By: 
In all versions of AppArmor mount rules are accidentally widened when compiled.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1585
-----------------------------------------
CVE-2020-3810: [Medium] 
Found in: apt [1.2.32]
Fixed By: 1.2.32ubuntu0.1
Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-3810
-----------------------------------------
CVE-2018-11237: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-11237
-----------------------------------------
CVE-2018-6485: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6485
-----------------------------------------
CVE-2017-18269: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-18269
-----------------------------------------
CVE-2020-1751: [Medium] 
Found in: glibc [2.23-0ubuntu11]
Fixed By: 2.23-0ubuntu11.2
An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751
-----------------------------------------```

just update the system components https://itsfoss.com/update-ubuntu/ — Marek Puchalski, Jul 24 '20 at 14:36
And yes, this question does not belong to stack overflow. https://serverfault.com/ or https://superuser.com/ are better. — Marek Puchalski, Jul 24 '20 at 14:37

score 1 · Accepted Answer · answered Jul 24 '20 at 19:36

1

To fix vulnerability error in container images you normally need to often simply recompile your image by updating the FROM statement with a more recent version of the base image you are using.

e.g. https://hub.docker.com/_/ubuntu?tab=tags

as you can see this image is getting updated quite often.

If you are using a specific tag (or latest) you might need to delete the image form your local build machine (e.g. docker rmi ) to force your docker daemon to re pull the image on the next docker build command

answered Jul 24 '20 at 19:36

djsly

1,522
11
13

Thanks @djsly but is there a command I can use to do this update, without using the FROM statement in the dockerfile. I am asking because the ACR and image was created automatically when deploying my ML model using Azure ML workspace and Azure ACI, hence I don't have the dockerfile. Regards – Jay chuks Jul 27 '20 at 01:41
Azure Machine Learning provides a default Docker base image so you don't have to worry about creating one. You can also use Azure Machine Learning environments to select a specific base image, or use a custom one that you provide. A base image is used as the starting point when an image is created for a deployment. It provides the underlying operating system and components. The deployment process then adds additional components, such as your model, conda environment, and other assets, to the image before deploying it. – djsly Jul 27 '20 at 04:54
https://learn.microsoft.com/en-us/azure/machine-learning/how-to-deploy-custom-docker-image – djsly Jul 27 '20 at 04:55
Additionally, the service automatically uses one of the Ubuntu Linux-based base images. It installs the specified Python packages. The base image has CPU versions and GPU versions. Azure Machine Learning automatically detects which version to use. It is also possible to use a custom Docker base image. https://learn.microsoft.com/en-us/azure/machine-learning/how-to-use-environments#enable-docker – djsly Jul 27 '20 at 05:00
You can include full specifications of an Azure Machine Learning environment in the inference configuration file. If this environment doesn't exist in your workspace, Azure Machine Learning will create it. Otherwise, Azure Machine Learning will update the environment if necessary. The following JSON is an example: "environment": { "docker": { "arguments": [], "baseDockerfile": null, "baseImage": "mcr.microsoft.com/azureml/base:intelmpi2018.3-ubuntu16.04", "enabled": false, }, – djsly Jul 27 '20 at 05:03

Fix vulnerabilities for Azure ACR

1 Answers1