Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The launchpad extension has critical security vulnerabilities in the latest images #896

Open
justinmchase opened this issue Aug 27, 2024 · 11 comments
Open

The launchpad extension has critical security vulnerabilities in the latest images #896

justinmchase opened this issue Aug 27, 2024 · 11 comments

Comments

@justinmchase
Copy link

justinmchase commented Aug 27, 2024
edited
Loading

The latest image of mssql/server:2022-latest contains a file at /opt/mssql-extensibility/bin/launchpad which appears to be built with a very old version of golang and generates a large number of critical CVE's for all of your published images.

exact sha256

as of Aug 27, 2024

c1aa8afe9b06eab64c9774a4802dcd032205d1be785b1fd51e1c0151e7586b74

Details

Screenshot 2024-08-27 at 12 29 01 PM

Please rebuild the launchpad extension with a newer version of golang and publish an updated version of 2022 and 2019.

Related to
@amitkh-msft
Copy link
Collaborator

Ack. Thank you for sharing this. We will work on updating the golang package.

@naman7kr
Copy link

Any update on this ? is there any deadline ?

@amitkh-msft
Copy link
Collaborator

sorry for the delay, hopefully I should have a tentative timeline to share by end of next week.

@granadacoder
Copy link

Hi.

I am another person and team being completely paralyzed here.

When giving timeline phrases... could you use exact dates and please avoid "this week" or "next week" phrases. I'm not trying to be a jerk, but I'm getting pinged twice a day on "what is the update?".
I am in a zero tolerance world now.

Thank you for your consideration.

@justinmchase
Copy link
Author

@amitkh-msft I'm in the same boat. These images are being blocked by our security team and they are critical for our developers.

@granadacoder
Copy link

sorry for the delay, hopefully I should have a tentative timeline to share by end of next week.

(Posted 3 weeks ago)

Hi.

We are desperately looking for an update.

We are looking to shift to postgres now because of the lack of response.

I'm not trying to be nasty. I'm conveying the reality of our security department will not allow vulnerable images.

@FabiKund
Copy link

@amitkh-msft are there any updates on the timeline?

We have the same problem that several people have already described here: one of our products needs to use the mssql server image which contains the vulnerabilities stated above.
As long as the vulnerabilities exist our security department does not allow going live with the product and blocks the usage of the image.

@granadacoder
Copy link

Hi. It's coming up on 2 MONTHS since being reported.

Please, can we get an update?

@hype11
Copy link

hype11 commented Oct 30, 2024

Hi, I have the same problem. For our company the image is blocked by security scanners. How long will it take to fix this critical issue?
regards

@naman7kr
Copy link

naman7kr commented Nov 5, 2024

i have stopped using mssql database, thanks to @amitkh-msft

@granadacoder
Copy link

4 1/2 MONTHS later...we still have no update?

This is embarrassing Microsoft.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@justinmchase @granadacoder @hype11 @naman7kr @amitkh-msft @FabiKund