[Question]: Have there been any progress in resolving the following CVEs in the latest releases?

[marlenkassym]

Describe your question

The following CVEs are being detected by Microsoft Defender for Cloud in the current version of v3.243.1 that I am using in the ADO agents. Is there any update on fixing these as some are dated all the way to 2016?

CVE
CVE-2016-10540
CVE-2017-18077
CVE-2022-3517
CVE-2022-0144
CVE-2022-34716
CVE-2024-27086
CVE-2024-35255

Versions

Azure pipelines v3.243.1

Environment type (Please select at least one environment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Operation system

Ubuntu 24.04

Version controll system

Azure Repos

Azure DevOps Server Version (if applicable)

No response

[ivanduplenskikh]

@marlenkassym, thank you for bringing this to our attention. We will review these CG alerts shortly.

[DergachevE]

@marlenkassym Thanks for your question.
I have checked our reporting and those CVEs were resolved.
Just to ensure I would like to clarify a few things:

1. What scanning tool do you use?
2. Do you scan the entire VM or agent folder? There might be old CVEs reported as there are previous agent version folders left after agent update. Also while scanning Agent folder there are downloaded tasks folders, which contain older versions with possible vulnerabilities.
3. It would be useful if you can share some file paths (relative would be good) so we can understand if the specific CVE is task or agent related, and if it's from some outdated tasks/agent version

[marlenkassym]

Hi @DergachevE, thanks for the prompt response. Please see my response below.

1. These vulnerabilities are being detected and reported by Microsoft Defender for Cloud in Azure portal
2. I am not sure how DfC has scanned these, but effectively it reported as the linux images\containers stored in Azure Container Registry having these vulnerabilities.
3. Your suggestions regarding data from outdated agents makes sense. I will have to check whether we can rebuild the containers from scratch, rather than update. Please find below evidence reported by DfC against each vulnerability. Many thanks.

CVE-2016-10540
/ado-linux-agent/externals/vso-task-lib/node_modules/minimatch/package.json
Vendor: minimatch
Installed version: 3.0.0.0

CVE-2017-18077
/ado-linux-agent/externals/vso-task-lib/node_modules/minimatch/node_modules/brace-expansion/package.json
Vendor: brace-expansion
Installed version: 1.1.5.0

CVE-2022-0144
/ado-linux-agent/externals/vso-task-lib/node_modules/shelljs/package.json
Vendor: shelljs
Installed version: 0.3.0.0

CVE-2022-34716
/ado-linux-agent/bin/Agent.PluginHost.deps.json
/ado-linux-agent/bin/Agent.Sdk.deps.json
Vendor: system.security.cryptography.xml
Installed version: 5.0.0.0

CVE-2022-3517
/ado-linux-agent/externals/vso-task-lib/node_modules/minimatch/package.json
Vendor: minimatch
Installed version: 3.0.0.0

CVE-2024-27086
/ado-linux-agent/bin/Agent.PluginHost.deps.json
/ado-linux-agent/bin/Agent.Plugins.deps.json
/ado-linux-agent/bin/Agent.Sdk.deps.json
/ado-linux-agent/bin/Microsoft.VisualStudio.Services.Agent.deps.json
Vendor: microsoft.identity.client
Installed version: 4.59.0.0

CVE-2024-35255
/ado-linux-agent/bin/Agent.PluginHost.deps.json
/ado-linux-agent/bin/Agent.Plugins.deps.json
/ado-linux-agent/bin/Agent.Sdk.deps.json
/ado-linux-agent/bin/Microsoft.VisualStudio.Services.Agent.deps.json
Vendor: microsoft.identity.client
Installed version: 4.59.0.0

[marlenkassym]

@DergachevE Hi, have there been any update on your findings? Thanks.

[ivanduplenskikh]

@marlenkassym,

---

CVE-2016-10540
/ado-linux-agent/externals/vso-task-lib/node_modules/minimatch/package.json
Vendor: minimatch
Installed version: 3.0.0.0

CVE-2017-18077
/ado-linux-agent/externals/vso-task-lib/node_modules/minimatch/node_modules/brace-expansion/package.json
Vendor: brace-expansion
Installed version: 1.1.5.0

CVE-2022-0144
/ado-linux-agent/externals/vso-task-lib/node_modules/shelljs/package.json
Vendor: shelljs
Installed version: 0.3.0.0

CVE-2022-3517
/ado-linux-agent/externals/vso-task-lib/node_modules/minimatch/package.json
Vendor: minimatch
Installed version: 3.0.0.0

I found related issue #5008.
There is a workaround related to vso-task-lib folder vulnerabilities:

if you don't have an old task relying on this vso-task-lib (I assume you don't if you're not using TFS 2015), as a mitigation you can remove it from agent externals.

---

CVE-2022-34716
/ado-linux-agent/bin/Agent.PluginHost.deps.json
/ado-linux-agent/bin/Agent.Sdk.deps.json
Vendor: system.security.cryptography.xml
Installed version: 5.0.0.0

This CVE was resolved in #4996

---

CVE-2024-35255
/ado-linux-agent/bin/Agent.PluginHost.deps.json
/ado-linux-agent/bin/Agent.Plugins.deps.json
/ado-linux-agent/bin/Agent.Sdk.deps.json
/ado-linux-agent/bin/Microsoft.VisualStudio.Services.Agent.deps.json
Vendor: microsoft.identity.client
Installed version: 4.59.0.0

This CVE was resolved in #4910

---

CVE-2024-27086
/ado-linux-agent/bin/Agent.PluginHost.deps.json
/ado-linux-agent/bin/Agent.Plugins.deps.json
/ado-linux-agent/bin/Agent.Sdk.deps.json
/ado-linux-agent/bin/Microsoft.VisualStudio.Services.Agent.deps.json
Vendor: microsoft.identity.client
Installed version: 4.59.0.0

This CVE has low severity and includes a warning within the CVE:

Important
ONLY applications targeting Xamarin Android and .NET Android (MAUI) are impacted. All others can safely dismiss this CVE.