Minemeld Vulnerabilities

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted

Minemeld Vulnerabilities

After downloading and building minemeld from https://github.com/PaloAltoNetworks/minemeld-docker ...

Our https://anchore.com/ scanning engine has detected several vulnerabilities...

 

Amongst other obvious concerns such as;

 

1. Why is it build with python2.7?

 

2. Why are Palo Alto still developing with this after Jan 2020 https://pythonclock.org/?

 

3. Aren't you supposed to migrate before end of support not after?

 

I was wondering if somebody from Palo Alto could address these vulnerabilities? It's not great to have a security product that is full of security vulnerabilities. 

 

I did raise a Palo Alto Support case as we spend an astronomical amount of money with them. Minemeld is only supported on Autofocus which we do not have, so they directed me here...

 

So please Palo Alto, pretty please with sugar on top can you fix these vulnerabilities in your product. Thanks! By the way these are only the worst ones. You should probably scan your containers before you publish them! The whole idea is that I invest in security products to make things more secure, not introduce vulnerabilities.

 

17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /opt/minemeld/engine/0.9.70.post1/lib/python2.7/site-packages/PyYAML (max_days_since_creation=2020-05-29)(CVE-2020-1747 - https://nvd.nist.gov/vuln/detail/CVE-2020-1747) warn
17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-16)(CVE-2019-9948 - https://nvd.nist.gov/vuln/detail/CVE-2019-9948) warn
17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-10)(CVE-2019-9636 - https://nvd.nist.gov/vuln/detail/CVE-2019-9636) warn

Highlighted
L7 Applicator

Hi @martinsarrionandia,

thanks for your message. We are aware of those vulnerabilities in the libraries used by MineMeld, but MineMeld code does not make use of the vulnerable features in the affected libraries. We are currently working on:

- a new release based on Python 2.7.18 to get rid of the old versions

- a new release based on Python 3

 

Happy to discuss all the details.

 

Please note that Palo Alto Networks has an official process for reporting reporting potential security vulnerabilities in our products, based on the responsible disclosure model. The process is documented here: https://www.paloaltonetworks.com/security-disclosure.

 

Thanks again.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!