mssql-docker icon indicating copy to clipboard operation
mssql-docker copied to clipboard

Published 20 hours ago verified publisher icon microsoft

The launchpad extension has critical security vulnerabilities in the latest images

Open justinmchase opened this issue 1 year ago • 7 comments

The latest image of mssql/server:2022-latest contains a file at /opt/mssql-extensibility/bin/launchpad which appears to be built with a very old version of golang and generates a large number of critical CVE's for all of your published images.

exact sha256

as of Aug 27, 2024

c1aa8afe9b06eab64c9774a4802dcd032205d1be785b1fd51e1c0151e7586b74

Details

Screenshot 2024-08-27 at 12 29 01 PM

Please rebuild the launchpad extension with a newer version of golang and publish an updated version of 2022 and 2019.

Related to

  • https://github.com/microsoft/mssql-docker/issues/866

justinmchase avatar Aug 27 '24 17:08 justinmchase

Ack. Thank you for sharing this. We will work on updating the golang package.

amitkh-msft avatar Aug 27 '24 17:08 amitkh-msft

Any update on this ? is there any deadline ?

naman7kr avatar Sep 18 '24 11:09 naman7kr

sorry for the delay, hopefully I should have a tentative timeline to share by end of next week.

amitkh-msft avatar Sep 18 '24 13:09 amitkh-msft

Hi.

I am another person and team being completely paralyzed here.

When giving timeline phrases... could you use exact dates and please avoid "this week" or "next week" phrases. I'm not trying to be a jerk, but I'm getting pinged twice a day on "what is the update?". I am in a zero tolerance world now.

Thank you for your consideration.

granadacoder avatar Sep 24 '24 13:09 granadacoder

@amitkh-msft I'm in the same boat. These images are being blocked by our security team and they are critical for our developers.

justinmchase avatar Oct 01 '24 17:10 justinmchase

sorry for the delay, hopefully I should have a tentative timeline to share by end of next week.

(Posted 3 weeks ago)

Hi.

We are desperately looking for an update.

We are looking to shift to postgres now because of the lack of response.

I'm not trying to be nasty. I'm conveying the reality of our security department will not allow vulnerable images.

granadacoder avatar Oct 07 '24 14:10 granadacoder

@amitkh-msft are there any updates on the timeline?

We have the same problem that several people have already described here: one of our products needs to use the mssql server image which contains the vulnerabilities stated above. As long as the vulnerabilities exist our security department does not allow going live with the product and blocks the usage of the image.

FabiKund avatar Oct 15 '24 11:10 FabiKund

Hi. It's coming up on 2 MONTHS since being reported.

Please, can we get an update?

granadacoder avatar Oct 24 '24 19:10 granadacoder

Hi, I have the same problem. For our company the image is blocked by security scanners. How long will it take to fix this critical issue? regards

hype11 avatar Oct 30 '24 14:10 hype11

i have stopped using mssql database, thanks to @amitkh-msft

naman7kr avatar Nov 05 '24 06:11 naman7kr

4 1/2 MONTHS later...we still have no update?

This is embarrassing Microsoft.

granadacoder avatar Jan 08 '25 14:01 granadacoder

Launchpad extension is now built with go version 1.23.1 with release of SQL Server 2022 CU17.

bishrest-msft avatar Jan 16 '25 21:01 bishrest-msft

This is solved with CU 17 release for SQL 22.

amitkh-msft avatar Jan 17 '25 11:01 amitkh-msft

Thank you so much for addressing this.

justinmchase avatar Jan 18 '25 21:01 justinmchase