ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
After downloading and building minemeld from https://github.com/PaloAltoNetworks/minemeld-docker ...
Our https://anchore.com/ scanning engine has detected several vulnerabilities...
Amongst other obvious concerns such as;
1. Why is it build with python2.7?
2. Why are Palo Alto still developing with this after Jan 2020 https://pythonclock.org/?
3. Aren't you supposed to migrate before end of support not after?
I was wondering if somebody from Palo Alto could address these vulnerabilities? It's not great to have a security product that is full of security vulnerabilities.
I did raise a Palo Alto Support case as we spend an astronomical amount of money with them. Minemeld is only supported on Autofocus which we do not have, so they directed me here...
So please Palo Alto, pretty please with sugar on top can you fix these vulnerabilities in your product. Thanks! By the way these are only the worst ones. You should probably scan your containers before you publish them! The whole idea is that I invest in security products to make things more secure, not introduce vulnerabilities.
17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /opt/minemeld/engine/0.9.70.post1/lib/python2.7/site-packages/PyYAML (max_days_since_creation=2020-05-29)(CVE-2020-1747 - https://nvd.nist.gov/vuln/detail/CVE-2020-1747 ) warn 17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-16)(CVE-2019-9948 - https://nvd.nist.gov/vuln/detail/CVE-2019-9948 ) warn 17:04:34 vulnerabilities package [1;31m[4;31mCRITICAL[0m Vulnerability found in non-os package type (python) - /usr/lib/python2.7/lib-dynload/Python (max_days_since_creation=2020-07-10)(CVE-2019-9636 - https://nvd.nist.gov/vuln/detail/CVE-2019-9636 ) warn
... View more