Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Linux and Azure Container Linux (ACL) share a dedicated Common Vulnerabilities and Exposures (CVE) pipeline, published advisories, and defined service level agreements (SLAs) so you can manage vulnerabilities across your fleet with confidence. This article explains how CVEs are identified, patched, and delivered to your systems depending on which Azure Linux or ACL deployment option you use.
Note
Azure Linux 4.0 is now in preview and is strictly limited to evaluation and testing purposes. It's not suitable for production use.
Update and verify CVE fixes
- Apply the latest security updates for your deployment option.
- Confirm updated package versions, changelogs, or node image versions.
CVE infrastructure and SLAs
Microsoft is responsible for the full Azure Linux and Azure Container Linux (ACL) stack - from the Linux kernel to the CVE infrastructure, support, and end-to-end validation. This means you don't need to track and patch vulnerabilities from a third-party distribution. Azure Linux handles identifying applicable CVEs, publishing fixes, and meeting SLAs for production package fixes.
The Azure Linux team scans the packages it ships for security vulnerabilities twice a day against the National Vulnerability Database (NVD). When a vulnerability is confirmed, the Azure Linux team collaborates with the Microsoft Security Response Center (MSRC) to evaluate, patch, and contribute fixes back upstream.
CVE delivery by deployment option
CVE fixes are delivered differently depending on whether you run general-purpose Azure Linux, Azure Linux Container Host for AKS, or Azure Container Linux (ACL) for AKS. The following table summarizes how CVE fixes are propagated to each deployment option:
| Deployment option | CVE fix delivery mechanism |
|---|---|
| General-purpose Azure Linux (Virtual Machines (VM), Virtual Machine Scale Sets, custom images) | CVE fixes are delivered as package updates. Apply them with dnf update. |
| Azure Linux Container Host for AKS | CVE fixes are delivered as package updates bundled into monthly node image releases. High and critical CVEs might be released out-of-band as a package update before the next scheduled node image, so a fix can reach your nodes ahead of a new image. Medium and low CVEs are rolled into the next regular node image release. |
| Azure Container Linux (ACL) for AKS | ACL is an immutable, image-based operating system (OS); individual packages aren't updated in place. Instead, CVE fixes are delivered through weekly AKS node image releases that include the latest security patches. The SecurityPatch node OS upgrade channel isn't supported on ACL, so use the NodeImage channel to pick up security updates. For ACL details, see Azure Container Linux overview. |
Published advisories
Note
Azure Linux 4.0 CVE SLAs aren't applicable during preview.
Azure Linux and Azure Container Linux (ACL) security advisories are being published in Vulnerability Exploitability eXchange (VEX) format through the Microsoft Security Response Center (MSRC). VEX advisories help you determine whether a vulnerability actually affects your specific configuration rather than just whether a package is installed.
Azure Linux and ACL CVEs are also published through the Microsoft Security Update Guide (SUG) CVRF API, so you can ingest Microsoft security updates programmatically alongside other Microsoft product advisories.
Apply security updates
Keep your system updated to receive security fixes. The right mechanism depends on your deployment option.
On general-purpose Azure Linux, apply security updates by updating packages with dnf:
sudo dnf update -y
On Azure Container Linux, use Azure Kubernetes Service (AKS) node image upgrades on the NodeImage channel; don't attempt to update individual packages on the immutable OS.
Validate fixes
On general-purpose Azure Linux, verify package versions as needed:
dnf info <PACKAGE_NAME>
On Azure Container Linux, verify the running node image version (for example, with az aks nodepool list --query '[].nodeImageVersion') matches the expected release.
Coordinate with vulnerability scanners
Azure Linux and Azure Container Linux support common vulnerability scanning tools. For a list of supported scanners, see Azure Linux partner solutions.
Once VEX advisories are published for Azure Linux and ACL, scanners that consume VEX can accurately report whether an installed package is actually exposed to a given CVE on these platforms, reducing false positives.
Report a security issue
Report suspected security vulnerabilities in Azure Linux or Azure Container Linux to the Microsoft Security Response Center (MSRC). Please do not report security vulnerabilities through public GitHub issues.