Share via

Critical Vulnerabilities in Python 3.12 stdlib on Azure Functions Docker Image

Pekka Hagström 0 Reputation points
2024-10-20T18:30:02.64+00:00

I am currently building and deploying an Azure Function using Python 3.12 in a Docker container. Upon running security scans (e.g., with pip-audit and safety), I encountered multiple critical/high vulnerabilities associated with stdlib version 1.20.14, including:

  • CVE-2024-24790
  • CVE-2024-34158
  • CVE-2024-34156
  • CVE-2024-24791
  • CVE-2024-24784
  • CVE-2023-45288
  • CVE-2022-30635

Given that Python 3.12 is the latest version supported by Azure Functions (as per the official Azure Functions Python Docker image documentation), and that no immediate updates or patches are available for these vulnerabilities, this raises a significant concern about deploying Azure Functions in production environments.

My questions are:

  1. What is Microsoft’s process for addressing critical vulnerabilities in core components like Python stdlib in the official Azure Functions Docker images?
  2. Are there any planned updates or patches to mitigate these vulnerabilities in Python 3.12 stdlib for Azure Functions?
  3. What recommendations does Microsoft provide for securing Azure Functions when critical vulnerabilities in the base runtime, like stdlib, remain unpatched?
  4. Is there an expected timeline for releasing an updated image that addresses these vulnerabilities, or is there an alternative approach to hardening the current image?

Ensuring that production environments remain secure is a high priority, and understanding how Microsoft handles vulnerabilities in base images like this will help guide future deployment strategies.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,911 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-10-21T09:42:02.99+00:00

    Hello @Pekka Hagström Microsoft takes security very seriously and has a process in place to address vulnerabilities in core components like Python stdlib in the official Azure Functions Docker images.

    However, I cannot give a confident answer based on the provided documents regarding the specific vulnerabilities you mentioned and whether there are any planned updates or patches to mitigate them in Python 3.12 stdlib for Azure Functions.

    In general, Microsoft regularly releases updates and patches to address security vulnerabilities in its products, including Azure Functions. When a vulnerability is identified, Microsoft assesses the risk and severity of the vulnerability and determines the appropriate course of action, which may include releasing a patch or update.

    To secure Azure Functions when critical vulnerabilities in the base runtime, like stdlib, remain unpatched, Microsoft recommends following security best practices, such as limiting network access, using secure coding practices, and regularly monitoring and updating dependencies.

    Regarding an expected timeline for releasing an updated image that addresses these vulnerabilities or an alternative approach to hardening the current image, I suggest reaching out to Microsoft support for more information.

    They can provide you with the most up-to-date information on this matter.

    I hope this information helps.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.