After downloading and building minemeld from https://github.com/PaloAltoNetworks/minemeld-docker ...
Our https://anchore.com/ scanning engine has detected several vulnerabilities...
Amongst other obvious concerns such as;
1. Why is it build with python2.7?
2. Why are Palo Alto still developing with this after Jan 2020 https://pythonclock.org/?
3. Aren't you supposed to migrate before end of support not after?
I was wondering if somebody from Palo Alto could address these vulnerabilities? It's not great to have a security product that is full of security vulnerabilities.
I did raise a Palo Alto Support case as we spend an astronomical amount of money with them. Minemeld is only supported on Autofocus which we do not have, so they directed me here...
So please Palo Alto, pretty please with sugar on top can you fix these vulnerabilities in your product. Thanks! By the way these are only the worst ones. You should probably scan your containers before you publish them! The whole idea is that I invest in security products to make things more secure, not introduce vulnerabilities.
17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /opt/minemeld/engine/0.9.70.post1/lib/python2.7/site-packages/PyYAML (max_days_since_creation=2020-05-29)(CVE-2020-1747 - https://nvd.nist.gov/vuln/detail/CVE-2020-1747) warn
17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-16)(CVE-2019-9948 - https://nvd.nist.gov/vuln/detail/CVE-2019-9948) warn
17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-10)(CVE-2019-9636 - https://nvd.nist.gov/vuln/detail/CVE-2019-9636) warn
thanks for your message. We are aware of those vulnerabilities in the libraries used by MineMeld, but MineMeld code does not make use of the vulnerable features in the affected libraries. We are currently working on:
- a new release based on Python 2.7.18 to get rid of the old versions
- a new release based on Python 3
Happy to discuss all the details.
Please note that Palo Alto Networks has an official process for reporting reporting potential security vulnerabilities in our products, based on the responsible disclosure model. The process is documented here: https://www.paloaltonetworks.com/security-disclosure.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!