System.IO.Packaging.dll and is vulnerable to CVE-2024-43484 and CVE-2024-43483

[ktrace2]

Wiz is detecting /var/lib/waagent/Microsoft.GuestConfiguration.ConfigurationForLinux-1.26.79/GCAgent/GC/System.IO.Packaging.dll is vulnerable to CVE-2024-43484 and CVE-2024-43483.

The library System.IO.Packaging is version 6.0.0, but the fix is in version 6.0.1.

Can we please get this library updated in the next release of the Microsoft Guest Configuration extension?

[ktrace2]

@iabdulqa are you able to assist with this?

[iabdulqa]

@ktrace2 We are looking into this. While I do not have an exact ETA at this moment, please note that due to the holiday season, we will not be implementing these updates. I estimate that the CVE fix will be released by mid-January or February.

[ktrace2]

@iabdulqa thank you for the update!

[ktrace2]

@iabdulqa any updates on this?

Also do you know who I should reach out to for the Windows Guest Extension v1.29.86.0?

All of our Windows VMs are also now showing vulnerable to 4 high CVEs (CVE-2024-0056, CVE-2024-38095, CVE-2024-43484, CVE-2024-43483)