Critical Fixes - CVE-2025-6020, CVE-2025-4802, CVE-2025-5222, CVE-2023-31484 Vulnerabilities #1233
Description
We are using the mcr.microsoft.com/azure-functions/dotnet:4-dotnet8.0 (Repo URL: Click here) base Docker image for our application requirements. It seems that there's a critical vulnerability with the image after we ran our vulnerability checks in GitLab CI/CD. There seems to be a series of CVE vulnerabilities.
mcr.microsoft.com/azure-functions/dotnet:4-dotnet8.0 uses Debian 12 with the Bookworm bistro and it is having some vulnerable packages. However, upon checking, Debian - Forky, by default installs the fixed versions of the vulnerable packages. This upgradation in the base image mcr.microsoft.com/azure-functions/dotnet:4-dotnet8.0 should fix the group of vulnerabilities.
Please find the below listed "CRITICAL" vulnerabilities:
1. CVE-2025-6020: A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
Vulnerable packages: libpam0g:1.5.2-6+deb12u1, libpam-runtime:1.5.2-6+deb12u1, libpam-modules-bin:1.5.2-6+deb12u1 and libpam-modules:1.5.2-6+deb12u1.
Fix version: 1.7.0-5 (Forky)
Reference: https://security-tracker.debian.org/tracker/CVE-2025-6020
2. CVE-2025-4802: Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).
Vulnerable packages: libc6:2.36-9+deb12u10, libc-bin:2.36-9+deb12u10.
Fix version: 2.41-12 (Forky)
Reference: https://security-tracker.debian.org/tracker/CVE-2025-4802
3. CVE-2025-5222: A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
Vulnerable packages: libicu72:72.1-3
Fix version: 76.1-4 (Forky)
Reference: https://security-tracker.debian.org/tracker/CVE-2025-5222
4. CVE-2023-31484: CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
Vulnerable packages: perl-base:5.36.0-7+deb12u2
Fix version: 5.40.1-6 (Forky)
Reference: https://security-tracker.debian.org/tracker/CVE-2023-31484
The point here is that, we had already researched and tested a single fix that would resolve all these vulnerabilities. The solution is to upgrade the Debian distro from Bookworm to Forky.
Fix Replication Steps:
1. Create Dockerfile and execute the container (Example):
FROM mcr.microsoft.com/azure-functions/dotnet:4-dotnet8.0
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true
EXPOSE 8080
ENV ASPNETCORE_URLS=http://*:8080
# Switch from bookworm to forky across all apt sources
RUN find /etc/apt/sources.list.d/ -type f -exec sed -i 's/bookworm/forky/g' {} \; && \
apt-get update && \
apt-get dist-upgrade -y && \
apt-get autoremove -y && \
apt-get clean
COPY . /home/site/wwwroot
Command 1: docker build -t arjunbabuust/dotnet:4-dotnet8.0 .
Command 2: docker push arjunbabuust/dotnet:4-dotnet8.0
Command 3: docker run -d --name test --privileged arjunbabuust/dotnet:4-dotnet8.0
Command 4: docker exec -it test /bin/bash
2. Individual Package Version Assessment:
1. Check libpam family packages (CVE-2025-6020)
Command 1: dpkg -l | grep libpam0g | Result: libpam0g:amd64 1.7.0-5
Command 2: dpkg -l | grep libpam-runtime | Result: libpam-runtime 1.7.0-5
Command 3: dpkg -l | grep libpam-modules-bin | Result: libpam-modules-bin 1.7.0-5
Command 4: dpkg -l | grep libpam-modules | Result: libpam-modules:amd64 1.7.0-5, libpam-modules-bin 1.7.0-5
2. Check glibc packages (CVE-2025-4802)
Command 1: dpkg -l | grep libc6 | Result: libc6:amd64 2.41-12
Command 2: dpkg -l | grep libc-bin | Result: libc6:amd64 2.41-12
3. Check icu package (CVE-2025-5222)
Command 1: dpkg -l | grep libicu | Result: libicu72:amd64 72.1-3+deb12u1
4. Check perl base package (CVE-2023-31484)
Command 1: dpkg -l | grep perl-base | Result: perl-base 5.40.1-6
3. Check Debian Distro Details:
Run: cat /etc/os-release
Result:
PRETTY_NAME="Debian GNU/Linux forky/sid"
NAME="Debian GNU/Linux"
VERSION_CODENAME=forky
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
We need to request if you will be able to incorporate these fixes to a latest container image and provide it?