![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 55.00000000000001%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 21%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Hello @Siddartha Siddartha (ALLYIS INC)
Thank you for contacting us about the issue.
We found detailed internal guidance and work items related to fixing the Microsoft Azure Linux 3.0 Security Update for glibc (61877) vulnerability in container images, including the one you mentioned (mcr.microsoft.com/azurelinux/base/nodejs:20.14). Here’s how you can guide the customer:
Cause of the issue - The vulnerability (ID 61877) affects glibc in Azure Linux 3.0-based images. Microsoft has released updated packages and patched container images to address this issue. Exploitation could compromise integrity, availability, and confidentiality.
- Check if the user is using the vulnerable image: docker inspect mcr.microsoft.com/azurelinux/base/nodejs:20.14 | grep glibc
- Confirm glibc version. Vulnerable versions are older than 2.38 (Azure Linux 3.0 patched version). [ODN027 - A…Container | Word]
Pull Updated Image
- Microsoft has published patched images in MCR. Instruct the customer to pull the latest tag:
- If the tag hasn’t been updated yet, use the digest or latest secure tag from Azure Linux GitHub. [[S360] [TE…bc (61877) | ADO Work Item (DynamicsCRM)]
Redeploy Containers
- After pulling the updated image, redeploy workloads: docker-compose down && docker-compose up -d
- For AKS or container apps, update the deployment YAML to reference the new image digest and apply: kubectl set image deployment/<name> <container>=mcr.microsoft.com/azurelinux/base/nodejs:20.14@<digest>
- Run vulnerability scan (e.g.,
trivyor Microsoft Defender for Containers) to confirm glibc is patched. - Ensure no CVE related to glibc remains.
Optional: Build Custom Image if the user uses a custom image based on this base image:
- Update Dockerfile:
- FROM mcr.microsoft.com/azurelinux/base/nodejs:20.14 RUN dnf update -y glibc && dnf clean all
- Rebuild and redeploy.
References -
- https://mcr.microsoft.com/en-us/artifact/mar/azurelinux/base/core/about
- Azure Linux 3.0 Security Advisories & Patch Links [[S360] [TE…bc (61877) | ADO Work Item (DynamicsCRM)]
- Internal ADO Work Item confirming remediation steps: Redeploy container image on shared AKS after pulling patched image. [[NodeRAG][…y service. | ADO Work Items (MSAzure)]
- https://github.com/microsoft/azurelinux/issues/7368
- https://github.com/microsoft/azurelinux#readme
Thanks,
Manish Deshpande.