ADAL package, which is EOL, included in latest az-cli

[virtualjack]

Describe the bug

On Linux
find /usr -name "*adal"
yields
/usr/lib64/az/lib/python3.9/site-packages/adal (NOTE: This package is installed by the az-cli package install)

On Windows, the find command returned the package at
./Program Files/Microsoft SDKs/Azure/CLI2/Lib/site-packages/adal

Related command

az version

Errors

End-of-Life (EOL) Software Installed
Control
Edit

ServiceNow
Create a Ticket
Run an Action
Export All Issues
Create Automation
Give Feedback

This resource is running a version of the software that is end-of-life (EOL) which usually means that it is no longer patched for security vulnerabilities. It should be updated to a supported version, deleted, or have an approved security exception on file.

Severity
Medium
Scope

Risks

Related Frameworks

Generates Issues
Yes
Tags
Status
Enabled
Created
Feb 5, 2024, 9:40 AM
Last Evaluated
Jun 28, 2024, 4:11 AM

Issue script & Debug output

$ az --debug
cli.knack.cli: Command arguments: ['--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_argument
s at 0x000001E2B107B880>, <function OutputProducer.on_global_arguments at 0x000001E2B120A0C0>, <func
tion CLIQuery.on_global_arguments at 0x000001E2B1237C40>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: No module found from index for '['--debug']'
cli.azure.cli.core: Loading all modules and extensions
cli.azure.cli.core: Discovered command modules: ['acr', 'acs', 'advisor', 'ams', 'apim', 'appconfig'
, 'appservice', 'aro', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cogni
tiveservices', 'compute_recommender', 'config', 'configure', 'consumption', 'container', 'containera
pp', 'cosmosdb', 'databoxedge', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedbac
k', 'find', 'hdinsight', 'identity', 'interactive', 'iot', 'keyvault', 'kusto', 'lab', 'managedservi
ces', 'maps', 'marketplaceordering', 'monitor', 'mysql', 'netappfiles', 'network', 'policyinsights',
'privatedns', 'profile', 'rdbms', 'redis', 'relay', 'resource', 'role', 'search', 'security', 'serv
icebus', 'serviceconnector', 'servicefabric', 'signalr', 'sql', 'sqlvm', 'storage', 'synapse', 'util
', 'vm']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: acr 0.224 36 149
cli.azure.cli.core: acs 0.046 14 76
cli.azure.cli.core: advisor 0.003 3 6
cli.azure.cli.core: ams 0.005 22 100
cli.azure.cli.core: apim 0.008 14 69
cli.azure.cli.core: appconfig 0.004 9 47
cli.azure.cli.core: appservice 0.109 79 270
cli.azure.cli.core: aro 0.022 1 10
cli.azure.cli.core: backup 0.005 16 60
cli.azure.cli.core: batch 0.031 34 102
cli.azure.cli.core: batchai 0.004 10 30
cli.azure.cli.core: billing 0.020 19 53
cli.azure.cli.core: botservice 0.004 12 42
cli.azure.cli.core: cdn 0.155 8 49
cli.azure.cli.core: cloud 0.003 1 7
cli.azure.cli.core: cognitiveservices 0.003 10 33
cli.azure.cli.core: compute_recommender 0.006 1 1
cli.azure.cli.core: config 0.002 2 7
cli.azure.cli.core: configure 0.002 2 5
cli.azure.cli.core: consumption 0.026 8 9
cli.azure.cli.core: container 0.016 1 11
cli.azure.cli.core: containerapp 0.176 36 115
cli.azure.cli.core: cosmosdb 0.017 58 199
cli.azure.cli.core: databoxedge 0.013 5 28
cli.azure.cli.core: dla 0.004 23 62
cli.azure.cli.core: dls 0.004 7 41
cli.azure.cli.core: dms 0.003 3 22
cli.azure.cli.core: eventgrid 0.005 25 96
cli.azure.cli.core: eventhubs 0.018 13 19
cli.azure.cli.core: extension 0.002 1 7
cli.azure.cli.core: feedback 0.001 1 2
cli.azure.cli.core: find 0.002 1 1
cli.azure.cli.core: hdinsight 0.010 8 39
cli.azure.cli.core: identity 0.003 2 11
cli.azure.cli.core: interactive 0.001 1 1
cli.azure.cli.core: iot 0.160 19 82
cli.azure.cli.core: keyvault 0.008 20 113
cli.azure.cli.core: kusto 0.003 3 14
cli.azure.cli.core: lab 0.004 11 34
cli.azure.cli.core: managedservices 0.002 3 8
cli.azure.cli.core: maps 0.002 5 13
cli.azure.cli.core: marketplaceordering 0.006 1 2
cli.azure.cli.core: monitor 0.377 18 61
cli.azure.cli.core: mysql 0.153 15 51
cli.azure.cli.core: netappfiles 0.076 8 17
cli.azure.cli.core: network 0.081 103 338
cli.azure.cli.core: policyinsights 0.026 9 17
cli.azure.cli.core: privatedns 0.037 14 60
cli.azure.cli.core: profile 0.003 2 8
cli.azure.cli.core: rdbms 0.031 49 202
cli.azure.cli.core: redis 0.004 7 38
cli.azure.cli.core: relay 0.047 7 8
cli.azure.cli.core: resource 0.017 51 231
cli.azure.cli.core: role 0.003 17 61
cli.azure.cli.core: search 0.016 7 19
cli.azure.cli.core: security 0.019 48 98
cli.azure.cli.core: servicebus 0.018 12 15
cli.azure.cli.core: serviceconnector 0.024 20 307
cli.azure.cli.core: servicefabric 0.025 27 80
cli.azure.cli.core: signalr 0.004 9 34
cli.azure.cli.core: sql 0.020 56 215
cli.azure.cli.core: sqlvm 0.083 4 20
cli.azure.cli.core: storage 0.047 59 273
cli.azure.cli.core: synapse 0.015 54 246
cli.azure.cli.core: util 0.003 3 7
cli.azure.cli.core: vm 0.054 58 269
cli.azure.cli.core: Total (66) 2.326 1205 4720
cli.azure.cli.core: Loaded 1191 groups, 4720 commands.
cli.azure.cli.core: Updated command index in 0.004 seconds.
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_
file_logging at 0x000001E2B40AE340>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\jstewart1.a
zure\commands\2024-06-28.14-02-31.unknown_command.5500.log'.
az_command_data_logger: command args: --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argum
ent..add_subscription_parameter at 0x000001E2B40DEA20>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x000001E2B413C7C0>, <function register_cache_arguments..add_cache_
arguments at 0x000001E2B413C900>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []

Welcome to Azure CLI!

Use az -h to see available commands or go to https://aka.ms/cli.

Telemetry

The Azure CLI collects usage data in order to improve your experience.
The data is anonymous and does not include commandline argument values.
The data is collected by Microsoft.

You can change your telemetry settings with az configure.

 /\
/  \    _____   _ _  ___ _

/ /\ \ |_ / | | | '/
/ ____ \ / /| || | | | /
// _/|_,|_| _|

Welcome to the cool new Azure CLI!

Use az --version to display the current version.
Here are the base commands:

account             : Manage Azure subscription information.
acr                 : Manage private registries with Azure Container Registries.
ad                  : Manage Microsoft Entra ID (formerly known as Azure Active Directory, Azure
                     AD, AAD) entities needed for Azure role-based access control (Azure RBAC)
                     through Microsoft Graph API.
advisor             : Manage Azure Advisor.
afd                 : Manage Azure Front Door Standard/Premium.
aks                 : Manage Azure Kubernetes Services.
ams                 : Manage Azure Media Services resources.
apim                : Manage Azure API Management services.
appconfig           : Manage App Configurations.
appservice          : Manage App Service plans.
aro                 : Manage Azure Red Hat OpenShift clusters.
backup              : Manage Azure Backups.
batch               : Manage Azure Batch.
bicep               : Bicep CLI command group.
billing             : Manage Azure Billing.
bot                 : Manage Microsoft Azure Bot Service.
cache               : Commands to manage CLI objects cached using the `--defer` argument.
capacity            : Manage capacity.
cdn                 : Manage Azure Content Delivery Networks (CDNs).
cloud               : Manage registered Azure clouds.
cognitiveservices   : Manage Azure Cognitive Services accounts.
compute-recommender : Manage sku/zone/region recommender info for compute resources.
config              : Manage Azure CLI configuration.
configure           : Manage Azure CLI configuration. This command is interactive.
connection          : Commands to manage Service Connector local connections which allow local
                     environment to connect Azure Resource. If you want to manage connection for
                     compute service, please run 'az webapp/containerapp/spring connection'.
consumption         : Manage consumption of Azure resources.
container           : Manage Azure Container Instances.
containerapp        : Manage Azure Container Apps.
cosmosdb            : Manage Azure Cosmos DB database accounts.
databoxedge         : Manage device with databoxedge.
deployment          : Manage Azure Resource Manager template deployment at subscription scope.
deployment-scripts  : Manage deployment scripts at subscription or resource group scope.
disk                : Manage Azure Managed Disks.
disk-access         : Manage disk access resources.
disk-encryption-set : Disk Encryption Set resource.
dla                 : Manage Data Lake Analytics accounts, jobs, and catalogs.
dls                 : Manage Data Lake Store accounts and filesystems.
dms                 : Manage Azure Data Migration Service (classic) instances.
eventgrid           : Manage Azure Event Grid topics, domains, domain topics, system topics
                     partner topics, event subscriptions, system topic event subscriptions and
                     partner topic event subscriptions.
eventhubs           : Eventhubs.
extension           : Manage and update CLI extensions.
feature             : Manage resource provider features.
feedback            : Send feedback to the Azure CLI Team.
find                : I'm an AI robot, my advice is based on our Azure documentation as well as
                     the usage patterns of Azure CLI and Azure ARM users. Using me improves
                     Azure products and documentation.
functionapp         : Manage function apps. To install the Azure Functions Core tools see
                     https://github.com/Azure/azure-functions-core-tools.
group               : Manage resource groups and template deployments.
hdinsight           : Manage HDInsight resources.
identity            : Managed Identities.
image               : Manage custom virtual machine images.
interactive         : Start interactive mode. Installs the Interactive extension if not
                     installed already.
iot                 : Manage Internet of Things (IoT) assets.
keyvault            : Manage KeyVault keys, secrets, and certificates.
kusto               : Manage Azure Kusto resources.
lab                 : Manage Azure DevTest Labs.
lock                : Manage Azure locks.
logicapp            : Manage logic apps.
login               : Log in to Azure.
logout              : Log out to remove access to Azure subscriptions.
managed-cassandra   : Azure Managed Cassandra.
managedapp          : Manage template solutions provided and maintained by Independent Software
                     Vendors (ISVs).
managedservices     : Manage the registration assignments and definitions in Azure.
maps                : Manage Azure Maps.
mariadb             : Manage Azure Database for MariaDB servers.
monitor             : Manage the Azure Monitor Service.
mysql               : Manage Azure Database for MySQL servers.
netappfiles         : Manage Azure NetApp Files (ANF) Resources.
network             : Manage Azure Network resources.
policy              : Manage resource policies.
postgres            : Manage Azure Database for PostgreSQL servers.
ppg                 : Manage Proximity Placement Groups.
private-link        : Private-link association CLI command group.
provider            : Manage resource providers.
redis               : Manage dedicated Redis caches for your Azure applications.
relay               : Manage Azure Relay Service namespaces, WCF relays, hybrid connections, and
                     rules.
resource            : Manage Azure resources.
resourcemanagement  : Resourcemanagement CLI command group.
rest                : Invoke a custom request.
restore-point       : Manage restore point with res.
role                : Manage Azure role-based access control (Azure RBAC).
search              : Manage Azure Search services, admin keys and query keys.
security            : Manage your security posture with Microsoft Defender for Cloud.
servicebus          : Servicebus.
sf                  : Manage and administer Azure Service Fabric clusters.
sig                 : Manage shared image gallery.
signalr             : Manage Azure SignalR Service.
snapshot            : Manage point-in-time copies of managed disks, native blobs, or other
                     snapshots.
sql                 : Manage Azure SQL Databases and Data Warehouses.
sshkey              : Manage ssh public key with vm.
stack               : A deployment stack is a native Azure resource type that enables you to
                     perform operations on a resource collection as an atomic unit.
staticwebapp        : Manage static apps.
storage             : Manage Azure Cloud Storage resources.
survey              : Take Azure CLI survey.
synapse             : Manage and operate Synapse Workspace, Spark Pool, SQL Pool.
tag                 : Tag Management on a resource.
term                : Manage marketplace agreement with marketplaceordering.
ts                  : Manage template specs at subscription or resource group scope.
upgrade             : Upgrade Azure CLI and extensions.
version             : Show the versions of Azure CLI modules and extensions in JSON format by
                     default or format configured by --output.
vm                  : Manage Linux or Windows virtual machines.
vmss                : Manage groupings of virtual machines in an Azure Virtual Machine Scale Set
                     (VMSS).
webapp              : Manage web apps.

cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x00000
1E2B40AE5C0>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 3.002 seconds (init: 0.526, invoke: 2.476)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3495 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C
:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init_.pyc C:\User
s\jstewart1.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

ADAL package should not be isntalled

Environment Summary

$ az version
{
"azure-cli": "2.61.0",
"azure-cli-core": "2.61.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {}
}

Additional context

Having an EOL package installed with the distribution introduces vulnerabilities into the environment as that package can still be referenced. This package has been EOL since December 2022

Please remove the EOL package. If, for some reason, you feel that you need to make this library available I would recommend that you put it in a separate package (e.g. az-cli-deprecated )

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

[ADBjester]

I note that MSAL has been used since CLI v2.30.0:

https://learn.microsoft.com/en-us/cli/azure/release-notes-azure-cli#november-02-2021

Since ADAL hasn't been used for authentication in the CLI since 2021, it seems safe to remove the python ADAL package entirely.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @adamedx.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

[virtualjack]

Does the fact that Microsoft is installing a vulnerable library change the priority?

[virtualjack]

If az-cli isn't being updated to remove EOL libraries, I guess it means that it is effectively unsupported. I've leave this open for a bit in case anyone has any follow-up comments, and then close it.

[jiasli]

Azure CLI Core removed the dependency on ADAL in #19853.

However, adal is indeed installed. pipdeptree shows it is installed by azure-datalake-store and msrestazure:

> pipdeptree --reverse --packages adal
adal==1.2.7
├── azure-datalake-store==0.0.49 [requires: adal>=0.4.2]
│   └── azure-cli==2.62.0 [requires: azure-datalake-store~=0.0.49]
└── msrestazure==0.6.4 [requires: adal>=0.6.0,<2.0.0]
    ├── azure-batch==14.2.0 [requires: msrestazure>=0.4.32,<2.0.0]
    │   └── azure-cli==2.62.0 [requires: azure-batch~=14.2.0]
    ├── azure-cli-core==2.62.0 [requires: msrestazure~=0.6.4]
    │   └── azure-cli==2.62.0 [requires: azure-cli-core==2.62.0]
    ├── azure-graphrbac==0.60.0 [requires: msrestazure>=0.4.32,<2.0.0]
    │   └── azure-cli==2.62.0 [requires: azure-graphrbac~=0.60.0]
    ├── azure-mgmt-datalake-store==0.5.0 [requires: msrestazure>=0.4.27,<2.0.0]
    ├── azure-mgmt-devtestlabs==4.0.0 [requires: msrestazure>=0.4.32,<2.0.0]
    │   └── azure-cli==2.62.0 [requires: azure-mgmt-devtestlabs~=4.0]
    ├── azure-mgmt-kusto==0.3.0 [requires: msrestazure>=0.4.32,<2.0.0]
    │   └── azure-cli==2.62.0 [requires: azure-mgmt-kusto~=0.3.0]
    └── azure-mgmt-managedservices==1.0.0 [requires: msrestazure>=0.4.32,<2.0.0]
        └── azure-cli==2.62.0 [requires: azure-mgmt-managedservices~=1.0]

For azure-datalake-store, I will contact the service team to move to the latest 0.0.53 which already uses MSAL. (Update: Done in #29408)

For msrestazure, it is required by Track 1 SDKs and azure-cli-core:

• Dropping Track 1 SDKs is tracked by Drop Track 1 Azure SDK support #20460
• Azure CLI uses msrestazure to support managed identity. Dropping msrestazure is tracked by Migrate Managed Identity's implementation from msrestazure to MSAL #25860, Remove msrestazure from python deps #28231

However, adal is installed merely as a dependency. No functionality from adal is used.

[jiasli]

A code search shows azure.datalake.store is used by dls module:

azure-cli/src/azure-cli/azure/cli/command_modules/dls/_client_factory.py

Line 32 in acec6c3

from azure.datalake.store import core

owned by service team @akharit @rahuldutta90

azure-cli/.github/CODEOWNERS

Line 39 in 9e3ce99

/src/azure-cli/azure/cli/command_modules/dls/ @akharit @rahuldutta90 @jsntcy @yonzhan @evelyn-ys

[jiasli]

#29408 bumped azure-datalake-store to 0.0.53 which removed the dependency on adal.

The current dependency chain on adal is:

> pipdeptree --reverse --packages adal
adal==1.2.7
└── msrestazure==0.6.4 [requires: adal>=0.6.0,<2.0.0]
    ├── azure-batch==14.2.0 [requires: msrestazure>=0.4.32,<2.0.0]
    │   └── azure-cli==2.63.0 [requires: azure-batch~=14.2.0]
    ├── azure-cli-core==2.63.0 [requires: msrestazure~=0.6.4]
    │   └── azure-cli==2.63.0 [requires: azure-cli-core==2.63.0]
    ├── azure-graphrbac==0.60.0 [requires: msrestazure>=0.4.32,<2.0.0]
    │   └── azure-cli==2.63.0 [requires: azure-graphrbac~=0.60.0]
    ├── azure-mgmt-devtestlabs==4.0.0 [requires: msrestazure>=0.4.32,<2.0.0]
    │   └── azure-cli==2.63.0 [requires: azure-mgmt-devtestlabs~=4.0]
    ├── azure-mgmt-kusto==0.3.0 [requires: msrestazure>=0.4.32,<2.0.0]
    │   └── azure-cli==2.63.0 [requires: azure-mgmt-kusto~=0.3.0]
    └── azure-mgmt-managedservices==1.0.0 [requires: msrestazure>=0.4.32,<2.0.0]
        └── azure-cli==2.63.0 [requires: azure-mgmt-managedservices~=1.0]

For msrestazure, it is required by

• Track 1 SDKs
  • azure-graphrbac: for AD Graph, required by lab and servicefabric modules {Service Fabric} Migrate servicefabric command module to Microsoft Graph #28105
  • azure-batch
  • azure-mgmt-devtestlabs
  • azure-mgmt-kusto
  • azure-mgmt-managedservices
• azure-cli-core: For managed identity and cloud shell authentication [Core] Use MSAL for managed identity and Cloud Shell authentication #25959

[jiasli]

PRs that are required for dropping ADAL dependency:

• {Core} Refactor code for MSAL authentication #29439
• [Core] Use MSAL for Cloud Shell authentication #29637
• [Core] Use MSAL for managed identity and Cloud Shell authentication #25959
• {Service Fabric} Migrate servicefabric command module to Microsoft Graph #28105
• [Core] Drop Track 1 SDK authentication support #29631
• [Core] Drop old Track 2 SDK authentication support #29690