Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-37454 detected in Azure CLI version 2.44 #25246

Closed
Divya1388 opened this issue Jan 26, 2023 · 10 comments · Fixed by #25438
Closed

CVE-2022-37454 detected in Azure CLI version 2.44 #25246

Divya1388 opened this issue Jan 26, 2023 · 10 comments · Fixed by #25438
Assignees
@bebound
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. CXP Attention This issue is handled by CXP team. feature-request Installation
Milestone
Feb 2023 (2023-03...

Comments

@Divya1388
Copy link

Describe the bug
Our company is reporting a critical vulnerability with the azure cli software. And this is arising out of the file Program Files (x86)\Microsoft SDKs\Azure\CLI2\python310.dll. The CVE associated are: CVE-2022-34716
So is there any effort at your end to remediate this? If yes, then do we have an ETA?

Environment summary

Install Method: chco
OS Version: Windows Server 2019
@ghost ghost added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Installation labels Jan 26, 2023
@ghost ghost assigned jiasli Jan 26, 2023
@ghost ghost added this to the Backlog milestone Jan 26, 2023
@wangzelin007
Copy link
Member

@jiasli for awareness

@yonzhan yonzhan added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 28, 2023
@Divya1388
Copy link
Author

Hi any update on this?

@jiasli
Copy link
Member

jiasli commented Feb 6, 2023

The CVE you shared (GHSA-2m65-m22p-9wjw) is regarding .NET. I fail to see the relationship with python310.dll which is shipped by the Python Windows embeddable package (32-bit): https://www.python.org/ftp/python/3.10.8/python-3.10.8-embed-win32.zip

@yonzhan yonzhan added the CXP Attention This issue is handled by CXP team. label Feb 6, 2023
@ghost
Copy link

ghost commented Feb 6, 2023

Thank you for your feedback. This has been routed to the support team for assistance.

@jiasli jiasli mentioned this issue Feb 6, 2023
Closed
4 tasks
@Divya1388
Copy link
Author

Divya1388 commented Feb 6, 2023
edited
Loading

@jiasli Sorry for the wrong CVE
But the one relating to python interpreter is CVE-2022-37454
python/cpython#98517

@Divya1388 Divya1388 changed the title CVE-2022-34716 detected in Azure CLI version 2.44 CVE-2022-37454 detected in Azure CLI version 2.44 Feb 6, 2023
@Divya1388
Copy link
Author

Hi @jiasli did you get a chance to review the CVE-2022-37454

@jiasli
Copy link
Member

jiasli commented Feb 13, 2023
edited
Loading

Python 3.10.9 fixes CVE-2022-37454:

https://docs.python.org/release/3.10.10/whatsnew/changelog.html#python-3-10-9-final

gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454).

We will bump the embedded Python to the latest version.

@jiasli jiasli removed their assignment Feb 13, 2023
@bebound bebound mentioned this issue Feb 13, 2023
Merged
3 tasks
@yonzhan yonzhan added feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Feb 13, 2023
@Divya1388
Copy link
Author

Thanks much @jiasli

Do we have an ETA?

@yonzhan
Copy link
Collaborator

yonzhan commented Feb 13, 2023

@bebound is working on this

@jiasli jiasli modified the milestones: Backlog, Feb 2023 (2023-03-07) Feb 14, 2023
@jiasli
Copy link
Member

jiasli commented Feb 14, 2023

Do we have an ETA?

The ETA is https://github.com/Azure/azure-cli/milestone/127:

Release: 03/07/2023
Azure CLI version: 2.46.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bebound bebound

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. CXP Attention This issue is handled by CXP team. feature-request Installation
Projects
None yet
Milestone
Feb 2023 (2023-03-07)
Development

Successfully merging a pull request may close this issue.

{Packaging} Bump Python version to 3.10.10 bebound/azure-cli
5 participants
@bebound @jiasli @wangzelin007 @Divya1388 @yonzhan