Microsoft Azure Linux Core 3.0 Image Exposes 22 Vulnerabilities, Including OpenSSL and curl Flaws

A security scan of Microsoft's official Azure Linux container image has revealed 22 unpatched vulnerabilities, raising immediate concerns for cloud deployments relying on this foundational component. The scan, performed using the Grype vulnerability scanner on the `mcr.microsoft.com/azurelinux/base/core:3.0` image, identified 18 medium-severity issues alongside 4 low-severity flaws. Notably, the affected packages include critical infrastructure components like OpenSSL and curl, which are ubiquitous in modern application stacks and cloud-native environments.

The specific image hash scanned was `sha256:e8e67a3a6f9a72863e69e602b891ad43d9f9e5e620ca0f60d3242abed2e5094d`. The vulnerability cataloging process examined 79 packages, 386 executables, and nearly 1,500 files within the container. The presence of these vulnerabilities in a core Microsoft-provided image signals a potential security gap in the default supply chain for Azure services, where this image serves as a base layer for countless customer applications and internal Microsoft services.

This discovery places direct pressure on Microsoft's Azure engineering and security teams to issue patches promptly. The medium-severity rating of the majority of the flaws indicates a tangible, if not critical, risk that could be exploited in targeted attacks, potentially leading to privilege escalation, data exposure, or denial-of-service conditions. For organizations operating at scale on Azure, this report necessitates an urgent review of container images and deployment pipelines to assess exposure and implement mitigations while awaiting an official fix from Microsoft.