How to fix vulnerability on Azure containe registry

Question

How to fix vulnerability on Azure containe registry

Van Huy Tuyen 20

Dear team

We use Azure container apps which pull images from Azure container registry.

Microsoft defender for cloud detect some vulnerabilities, for example

ID = CVE-2024-56406
Package type = OS.
Status: Unhealthy
Vendor: Debian
Installed version: 5.36.0-7+deb12u1
Package name: perl
Fixed version: 5.36.0-7+deb12u2

But as I know, Azure container app is serverless, so we can not manage OS (debian) version.

Please guide me how to resolve vulnerabilities

Thanks!

Sanoop M 4,310 Reputation points Moderator

2025-05-28T06:11:16.24+00:00
Hello @Van Huy Tuyen,

I understand that Microsoft Defender for Cloud has detected some vulnerabilities in your tenant regarding Azure Container app OS versions.

Defender for Cloud offers customers the capability to remediate vulnerabilities in container images while they're still stored in the registry. Additionally, it conducts contextual analysis of the vulnerabilities in your environment, aiding in prioritizing remediation efforts based on the risk level associated with each vulnerability.

Please note that the recommendations details page opens with additional information. This information includes details about your registry image and the remediation steps.

If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.

When a finding matches the criteria you defined in your disable rules, it doesn't appear in the list of findings. Typical scenario examples include:

Disable findings with severity below medium

Disable findings for images that the vendor won't fix

Important:

To create a rule, you need permissions to edit a policy in Azure Policy. Learn more in Azure RBAC permissions in Azure Policy.

To create a rule

1.From the recommendations detail page for Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management or Containers running in Azure should have vulnerability findings resolved, select Disable rule.

2.Select the relevant scope.

3.Define your criteria. You can use any of the following criteria:

CVE - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.

Image digest - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c

OS version - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17

Minimum Severity - Select low, medium, high, or critical to exclude vulnerabilities less than and equal to the specified severity level.

Fix status - Select the option to exclude vulnerabilities based on their fix status.

4.In the justification text box, add your justification for why a specific vulnerability was disabled. This provides clarity and understanding for anyone reviewing the rule.

5.Select Apply rule.

Additionally to use the classic secure score approach, see View and remediate vulnerabilities for registry images (Secure Score).

I am attaching the reference documents below and please review it if you have any queries which will be helpful.

How-to view and remediate vulnerability assessment findings for registry images - Microsoft Defender for Cloud | Microsoft Learn

Creating exemptions and disabling vulnerabilities - Microsoft Defender for Cloud | Microsoft Learn

I have initiated the Private Message and if you have any clarification or queries regarding the above information, please provide your update there.
Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-05-29T11:48:18.77+00:00

@Van Huy Tuyen ,

Just checking if you are still facing the vulnerabilities issue?

1 answer

Your answer

Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-05-29T11:48:18.77+00:00

@Van Huy Tuyen ,

Just checking if you are still facing the vulnerabilities issue?

Answer 1

Deepanshu katara 16,720 MVP Moderator

Hello , Welcome to MS Q&A

Yes right we do not manage servers but we are responsible for base images we are using in dockerfile.

Microsoft Defender for Cloud is scanning your container image layers, including base OS packages (like perl) that may come from a base image (e.g., debian, ubuntu, alpine, etc.). Defender flags these vulnerabilities based on known CVEs like CVE-2024-56406.

To resolve the vulnerability, you need to rebuild your container image with a base image that includes the patched version of the perl package and similarly for debian.

Best Practices

Use minimal base images: Consider alpine or distroless if your app allows.
Scan your image before pushing using tools like:
- Trivy
- Microsoft Defender for Cloud (automatically scans ACR)
Keep Dockerfiles up to date: Base image tags like debian:12 may not auto-update to 12.1, so you need to rebuild often.

Please let me know if any further ques

Kindly accept if it helps

Thanks

Deepanshu

Van Huy Tuyen 20 Reputation points

2025-05-28T06:10:29.4+00:00
Hi @Deepanshukatara-6769,

I use .NET v8 with image base:

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base

How can I keep it up to date?
Deepanshu katara 16,720 Reputation points MVP Moderator

2025-05-28T06:21:57.3433333+00:00

To keep your .NET v8 base image up to date in Azure Container Registry, you can use Azure Container Registry Tasks to automate the process. Here's how you can do it:

Set Up ACR Tasks: You can configure Azure Container Registry (ACR) tasks to automatically track and update your base image. When a new version of the base image is available, ACR tasks can automatically rebuild your application images that depend on it.

Track Base Image Updates: ACR tasks can detect when a base image is updated in a public repository like Docker Hub or Microsoft Container Registry. It will then trigger a rebuild of your application images that use this base image.

Use Image Import: Consider importing the base image into your Azure Container Registry. This allows you to manage updates more effectively and ensures that your application images are built using the latest base image.

Schedule Tasks: You can also schedule tasks to run at specific intervals to check for updates and rebuild images as needed.

For more detailed guidance, you can refer to the Azure documentation on automating container image builds and maintenance.

Van Huy Tuyen 20

Hi Deepanshukatara-6769,

I still concern. On my cloud defender, it shows:

Weakness details

CWE-ID	CWE-122, CWE-787
CWE-ID	CWE-122, CWE-787

Other details

Package type	OS
Package type	OS
Vendor	debian
Package name	perl
Installed version	5.36.0-7+deb12u1
Fixed version	5.36.0-7+deb12u2
CVSS vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Other references

https://nvd.nist.gov/vuln/detail/CVE-2024-56406

https://vulncheck.com/browse/cve/CVE-2024-56406

https://security.access.redhat.com/data/oval/v2/RHEL9/rhel-9-including-unpatched.oval.xml.bz2

https://security-metadata.canonical.com/oval/com.ubuntu.jammy.usn.oval.xml.bz2

https://www.debian.org/security/oval/oval-definitions-bookworm.xml.bz2

Remediation/patch details

Apply the latest patches and updates provided by the respective vendors. [Generated by AI]

As I understand, Microsoft have to update container apps environment to deb12u2 to fix this vulnerability, right?

Khadeer Ali 5,990 Reputation points Microsoft External Staff Moderator

2025-05-28T15:28:07.4+00:00

Van Huy Tuyen,

After updating and pushing your image, it may take up to 24 hours for Microsoft Defender for Cloud to re-scan and reflect the updated (remediated) status in the portal.

We understand this can be confusing, especially with the serverless nature of Azure Container Apps. But in this case, the responsibility is with the container image, not the Azure-managed hosting environment.

Share via

How to fix vulnerability on Azure containe registry

1 answer

Your answer