https://live.paloaltonetworks.com/t5/general-topics/minemeld-vulnerabilities/m-p/347227#M95584 <P><SPAN>After downloading and building minemeld from&nbsp;<A href="https://github.com/PaloAltoNetworks/minemeld-docker" target="_blank">https://github.com/PaloAltoNetworks/minemeld-docker</A>&nbsp;...</SPAN></P> <P><SPAN>Our <A href="https://anchore.com/" target="_blank">https://anchore.com/</A> scanning engine has detected several vulnerabilities...</SPAN></P> <P>&nbsp;</P> <P><SPAN>Amongst other obvious concerns such as;</SPAN></P> <P>&nbsp;</P> <P><SPAN>1. Why is it build with python2.7?</SPAN></P> <P>&nbsp;</P> <P><SPAN>2. Why are Palo Alto still developing&nbsp;with this after Jan 2020&nbsp;<A href="https://pythonclock.org/" target="_blank">https://pythonclock.org/</A>? </SPAN></P> <P>&nbsp;</P> <P><SPAN>3. Aren't you supposed to migrate before end of support not after?</SPAN></P> <P>&nbsp;</P> <P><SPAN> I was wondering if somebody from Palo Alto could address these vulnerabilities? It's not great to have a security product that is full of security vulnerabilities.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>I did raise a Palo Alto Support case as we spend an astronomical&nbsp;amount&nbsp;of money with them. Minemeld is only supported on Autofocus which we do not have, so they directed me here...</SPAN></P> <P>&nbsp;</P> <P><SPAN>So please Palo Alto, pretty please with sugar on top can you fix these vulnerabilities&nbsp;in your product. Thanks! By the way these are only the worst ones. You should probably scan your containers before you publish them! The whole idea is that I invest in security products to make things more secure, not introduce vulnerabilities.</SPAN></P> <P>&nbsp;</P> <P><SPAN>17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /opt/minemeld/engine/0.9.70.post1/lib/python2.7/site-packages/PyYAML (max_days_since_creation=2020-05-29)(CVE-2020-1747 -&nbsp;</SPAN><A href="https://nvd.nist.gov/vuln/detail/CVE-2020-1747" target="_blank" rel="noopener">https://nvd.nist.gov/vuln/detail/CVE-2020-1747</A><SPAN>) warn</SPAN><BR /><SPAN>17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-16)(CVE-2019-9948 -&nbsp;</SPAN><A href="https://nvd.nist.gov/vuln/detail/CVE-2019-9948" target="_blank" rel="noopener">https://nvd.nist.gov/vuln/detail/CVE-2019-9948</A><SPAN>) warn</SPAN><BR /><SPAN>17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-10)(CVE-2019-9636 -&nbsp;</SPAN><A href="https://nvd.nist.gov/vuln/detail/CVE-2019-9636" target="_blank" rel="noopener">https://nvd.nist.gov/vuln/detail/CVE-2019-9636</A><SPAN>) warn</SPAN></P> Mon, 07 Sep 2020 12:38:56 GMT martinsarrionandia 2020-09-07T12:38:56Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-vulnerabilities/m-p/347227#M95584 <P><SPAN>After downloading and building minemeld from&nbsp;<A href="https://github.com/PaloAltoNetworks/minemeld-docker" target="_blank">https://github.com/PaloAltoNetworks/minemeld-docker</A>&nbsp;...</SPAN></P> <P><SPAN>Our <A href="https://anchore.com/" target="_blank">https://anchore.com/</A> scanning engine has detected several vulnerabilities...</SPAN></P> <P>&nbsp;</P> <P><SPAN>Amongst other obvious concerns such as;</SPAN></P> <P>&nbsp;</P> <P><SPAN>1. Why is it build with python2.7?</SPAN></P> <P>&nbsp;</P> <P><SPAN>2. Why are Palo Alto still developing&nbsp;with this after Jan 2020&nbsp;<A href="https://pythonclock.org/" target="_blank">https://pythonclock.org/</A>? </SPAN></P> <P>&nbsp;</P> <P><SPAN>3. Aren't you supposed to migrate before end of support not after?</SPAN></P> <P>&nbsp;</P> <P><SPAN> I was wondering if somebody from Palo Alto could address these vulnerabilities? It's not great to have a security product that is full of security vulnerabilities.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>I did raise a Palo Alto Support case as we spend an astronomical&nbsp;amount&nbsp;of money with them. Minemeld is only supported on Autofocus which we do not have, so they directed me here...</SPAN></P> <P>&nbsp;</P> <P><SPAN>So please Palo Alto, pretty please with sugar on top can you fix these vulnerabilities&nbsp;in your product. Thanks! By the way these are only the worst ones. You should probably scan your containers before you publish them! The whole idea is that I invest in security products to make things more secure, not introduce vulnerabilities.</SPAN></P> <P>&nbsp;</P> <P><SPAN>17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /opt/minemeld/engine/0.9.70.post1/lib/python2.7/site-packages/PyYAML (max_days_since_creation=2020-05-29)(CVE-2020-1747 -&nbsp;</SPAN><A href="https://nvd.nist.gov/vuln/detail/CVE-2020-1747" target="_blank" rel="noopener">https://nvd.nist.gov/vuln/detail/CVE-2020-1747</A><SPAN>) warn</SPAN><BR /><SPAN>17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-16)(CVE-2019-9948 -&nbsp;</SPAN><A href="https://nvd.nist.gov/vuln/detail/CVE-2019-9948" target="_blank" rel="noopener">https://nvd.nist.gov/vuln/detail/CVE-2019-9948</A><SPAN>) warn</SPAN><BR /><SPAN>17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-10)(CVE-2019-9636 -&nbsp;</SPAN><A href="https://nvd.nist.gov/vuln/detail/CVE-2019-9636" target="_blank" rel="noopener">https://nvd.nist.gov/vuln/detail/CVE-2019-9636</A><SPAN>) warn</SPAN></P> Mon, 07 Sep 2020 12:38:56 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-vulnerabilities/m-p/347227#M95584 martinsarrionandia 2020-09-07T12:38:56Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-vulnerabilities/m-p/347819#M95585 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/154522">@martinsarrionandia</a>,</P> <P>thanks for your message. We are aware of those vulnerabilities in the libraries used by MineMeld, but MineMeld code does not make use of the vulnerable features in the affected libraries. We are currently working on:</P> <P>- a new release based on Python 2.7.18 to get rid of the old versions</P> <P>- a new release based on Python 3</P> <P>&nbsp;</P> <P>Happy to discuss all the details.</P> <P>&nbsp;</P> <P>Please note that Palo Alto Networks has an official process for reporting reporting potential security vulnerabilities in our products, based on the responsible disclosure model. The process is documented here:&nbsp;<A href="https://www.paloaltonetworks.com/security-disclosure" target="_blank">https://www.paloaltonetworks.com/security-disclosure</A>.</P> <P>&nbsp;</P> <P>Thanks again.</P> Wed, 09 Sep 2020 07:12:49 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-vulnerabilities/m-p/347819#M95585 lmori 2020-09-09T07:12:49Z