This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Minemeld Vulnerabilities

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Minemeld Vulnerabilities

martinsarrionandia
L0 Member

‎09-07-2020 05:38 AM

After downloading and building minemeld from https://github.com/PaloAltoNetworks/minemeld-docker ...

Our https://anchore.com/ scanning engine has detected several vulnerabilities...

 

Amongst other obvious concerns such as;

 

1. Why is it build with python2.7?

 

2. Why are Palo Alto still developing with this after Jan 2020 https://pythonclock.org/?

 

3. Aren't you supposed to migrate before end of support not after?

 

I was wondering if somebody from Palo Alto could address these vulnerabilities? It's not great to have a security product that is full of security vulnerabilities. 

 

I did raise a Palo Alto Support case as we spend an astronomical amount of money with them. Minemeld is only supported on Autofocus which we do not have, so they directed me here...

 

So please Palo Alto, pretty please with sugar on top can you fix these vulnerabilities in your product. Thanks! By the way these are only the worst ones. You should probably scan your containers before you publish them! The whole idea is that I invest in security products to make things more secure, not introduce vulnerabilities.

 

17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /opt/minemeld/engine/0.9.70.post1/lib/python2.7/site-packages/PyYAML (max_days_since_creation=2020-05-29)(CVE-2020-1747 - https://nvd.nist.gov/vuln/detail/CVE-2020-1747) warn
17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-16)(CVE-2019-9948 - https://nvd.nist.gov/vuln/detail/CVE-2019-9948) warn
17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-10)(CVE-2019-9636 - https://nvd.nist.gov/vuln/detail/CVE-2019-9636) warn

0 Likes Likes
1 REPLY 1

lmori
L7 Applicator

‎09-09-2020 12:12 AM

Hi @martinsarrionandia,

thanks for your message. We are aware of those vulnerabilities in the libraries used by MineMeld, but MineMeld code does not make use of the vulnerable features in the affected libraries. We are currently working on:

- a new release based on Python 2.7.18 to get rid of the old versions

- a new release based on Python 3

 

Happy to discuss all the details.

 

Please note that Palo Alto Networks has an official process for reporting reporting potential security vulnerabilities in our products, based on the responsible disclosure model. The process is documented here: https://www.paloaltonetworks.com/security-disclosure.

 

Thanks again.

0 Likes Likes
  • 2718 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks