This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 68%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Team,
In AKS 1.23.5 version upgrade, these vulnerabilities are coming(scanned by prisma cloud). Can anyone suggest the resolution. Is there any possible way to upgrade these 2 packages or only AKS support team can help in upgrading them.
Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hello @Tanul ,
In general for all the images which gets pulled from mcr.microsoft.com repository and any pods which are under kube-system namespace - there is no action required from your end. AKS team will apply the fix for each of those vulnerabilities once the vendors release the official fix for their packages. AKS patches CVE's that have a vendor fix every week. The AKS Images will get automatically updated within 30 days.
One of the best recommended practice from your end is try to make sure to apply an updated node image on a regular cadence to ensure that the latest patched images & OS patches are all applied and update to date .
Try running: az aks update -g <> -n <> –node-image-only
Regards,
Shiva.
@shiva patpi , Thank you so so much for sharing. But recently on 18th June, we have updated the AKS to the latest version using azure portal. While updating we have selected the scope upgrade control plane + all node pools.
Do we still need to run this command. The problem is that my cybersecurity team is coming back to us on weekly basis asking the same. In addition, there are other packages as well having vulnerabilities:
Its getting very difficult to control this situation. Due to this, on immediate basis we have paused our releases and updated the node image and AKS both on 18th June to the most stable version.
After updating I thought I should get the correct node image version but still it is coming as null. That is why I have asked a separate question (https://learn.microsoft.com/en-us/answers/questions/896941/node-image-version-is-still-null-after-updating-th.html) again as I need to confirm whether my nodes are updated latest version or not after selecting the scope upgrade control plane + all node pools while updating the AKS.
Hence, after updating everything I don't know if everything is updated or not at node level. Do you think I should run this command which you have shared after recently updating?
Please try updating using that command, for the other issue Vikas might have replied to you. Probably, it might be due to the NodeImageVersion null.
@shiva patpi , Thank you so much. Sure will try running this command. Will check with Vikas as well.
Have a great weekend. Take care :)
@shiva patpi , is this az aks update or az aks upgrade.. I can't see nod-image only flag with az aks update
I tried running this command but it says kubernetes cluster might be unavailable. If I'm not wrong, this command will update the OS image(applying patches etc.) right? Still, it will impact the cluster's availability. Could you please suggest?
@shiva patpi , Tried running. But its not possible because we are not using virtual machine scale set. Now this is a huge problem. I need to update my nodes and azure cli only works on VMSS.. We have availability sets and I don't know any procedure to update them.
Hello @Tanul ,
At this point of time , it needs a deeper investigation
Please make sure to see the comment from Vikas in the below thread, if you don't have the ability to open a technical support ticket
https://learn.microsoft.com/en-us/answers/questions/896941/node-image-version-is-still-null-after-updating-th.html