Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege

Microsoft Security Advisory 4021279: Microsoft is releasing this security advisory to provide information about vulnerabilities in public .NET Core and ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications correctly.

.NET Core & ASP.NET Core are the next generation of .NET that provide a familiar and modern framework for web and cloud scenarios. These products are actively developed by the .NET and ASP.NET team in collaboration with a community of open source developers, running on Windows, Mac OS X and Linux. When .NET Core was released, the version number was reset to 1.0.0 to reflect the fact that it is a separate product from its predecessor -.NET.

Vulnerabilities in .NET Core and ASP.NET Core could allow elevation of privilege (CVE-2017-0249) and denial of service (CVE-2017-0247).

The vulnerabilities affect any Microsoft .NET Core project if it uses any of the listed affected package versions. These include System.Text.Encodings.Web, System.Net.Http, System.Net.Security and Microsoft.AspNetCore.Mvc.

How do I know if I am affected?

.NET Core and ASP.NET Core have two types of dependencies: direct and transitive. If your project has a direct or transitive dependency on any of the packages and versions listed above, you are affected.
Note: As part of patching ASP.NET Core MVC we update every Microsoft.AspNetCore.Mvc.* package. If, for example, you have a dependency on Microsoft.AspNetCore.Mvc you should update to the appropriate version first (1.0.x should be updated to 1.0.4, 1.1.x should be updated to 1.1.3), and it will also update any other vulnerable Microsoft.AspNetCore.Mvc dependency.

I thought you might find this interesting:   How to filter web traffic with blacklists

Read on @ Github:
Microsoft Security Advisory 4021279: Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege

Please Support

Each post on Sysadmins of the North takes a significant amount of time to research, write, and edit. Therefore, your donation helps a lot! For example, a donation of $3 U.S. buys me a cup of coffee, and as you know: things jsut work better with coffee. A $10 U.S. donation buys me one month of web hosting (yes, hosting costs money). But seriously, thank you for any amount. Much appreciated!

Please donate to support this site if you found a post interesting or if it helped you solve a problem. Thanks! (Tip: no Paypal account required)

If you appreciated this post, then please donate using this Paypal button

Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

Leave a Reply

Be the First to Comment!

Hi! Join the discussion, leave a reply!