CVE-2021-4160 vulnerability in docker image

[kh-yash]

Hi, in my docker file, I am using this base image - mcr.microsoft.com/dotnet/aspnet:6.0. We recently detected this vulnerability - https://security-tracker.debian.org/tracker/CVE-2021-4160 in the same base image. I think it has to do with the openssl package being vulnerable. The upgrade of openssl from 1.1.1k-1+deb11u1 to 1.1.1k-1+deb11u2 should fix the vulnerability.

Is there a plan to fix this issue?

[mthalman]

Either you're not using the most up-to-date version of the tag or this is a false positive.

The image referenced by that tag has the latest version of the openssl package. There was a release yesterday for .NET which updated our images but even the previous version of the image had the latest version of the openssl package.

$ docker pull mcr.microsoft.com/dotnet/aspnet:6.0
6.0: Pulling from dotnet/aspnet
Digest: sha256:3cbb1b87fb7abdf2f769c1cb9e455bd1e36ddacb465bee8179b7bf7faf747a85
Status: Image is up to date for mcr.microsoft.com/dotnet/aspnet:6.0
mcr.microsoft.com/dotnet/aspnet:6.0

$ docker run --rm mcr.microsoft.com/dotnet/aspnet:6.0 apt list openssl

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Listing...
openssl/now 1.1.1n-0+deb11u1 amd64 [installed,local]

Also checking the previous version:

$ docker pull mcr.microsoft.com/dotnet/aspnet:6.0.3
6.0.3: Pulling from dotnet/aspnet
Digest: sha256:26ef9dc4aa354cc4aa4ae533c97f92d0d72c5e848f6968660be51d9fc1ce092e
Status: Downloaded newer image for mcr.microsoft.com/dotnet/aspnet:6.0.3
mcr.microsoft.com/dotnet/aspnet:6.0.3

$ docker run --rm mcr.microsoft.com/dotnet/aspnet:6.0.3 apt list openssl

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Listing...
openssl/now 1.1.1n-0+deb11u1 amd64 [installed,local]

You can see that version 1.1.1n-0+deb11u1 of the openssl package is contained in the image. This version is labeled as fixed from Debian's security tracker: