Microsoft Security Advisory CVE-2023-29331: .NET Denial of Service vulnerability #87498
Comments
dotnet-issue-labeler
bot
added
the
needs-area-label
jeffhandley
added
documentation
|
Tagging subscribers to this area: @dotnet/area-meta Issue DetailsMicrosoft Security Advisory CVE-2023-29331: .NET Denial of Service vulnerabilityExecutive summaryMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET when processing X.509 certificates that may result in Denial of Service. AnnouncementAnnouncement for this issue can be found at dotnet/announcements#257 Mitigation factorsMicrosoft has not identified any mitigating factors for this vulnerability. Affected software
If your application uses the following package versions, ensure you update to the latest version of .NET. .NET 7
.NET 6
Advisory FAQHow do I know if I am affected?If you have a runtime or SDK with a version listed, or an affected package listed in affected software, you're exposed to the vulnerability. How do I fix the issue?
.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates. Once you have installed the updated runtime or SDK, restart your apps for the update to take effect. Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. Other InformationReporting Security IssuesIf you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. SupportYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. DisclaimerThe information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. External LinksRevisionsV1.0 (May 9, 2023): Advisory published. Version 1.0 Last Updated 2023-05-09
|
|
Is there a reason a new version of System.Security.Cryptography.Xml requiring System.Security.Cryptography.Pkcs >= 7.0.2 was not introduced? Or is that not standard practice for this type of fix. |
|
Even after using latest SDK for .net 6.0, it is still giving Prisma issue during build, is there any way to resolve that? |
|
Any chance to get updated System.Security.Cryptography.Xml packages for .NET 6 and 7? |
|
This question has been asked multiple times but nobody has responded. Can you please release a new version of |
|
For packages built out of dotnet/runtime we only ship a new version of a package if the package itself requires changes. We do not ship new versions of library packages just to update dependencies. Should the package need to ship in the future for some other reason it will have the updated dependency. |
|
@ericstj I understand how that, in general, package releases are frequent enough that that policy is probably fine most of the time. But it's been almost 3 months and the latest version of What happens if this package does have a new version shipped for 1 year? 2 years? etc. It's also problematic because, unless consumers are actively looking at their transient dependencies and running security analysis on those, they are not going to be aware that even the latest version of that package is insecure. |
It does not have a vulnerability itself. It references a minimum version of another component which has a vulnerability.
It will have a new version shipped annually with the next major release of .NET.
It's a contradiction to care about security but not care about it for transitive dependencies. If one takes that perspective, they will either leave themselves unpatched because some component they don't control doesn't update - or delay the time to being patched until everyone in their closure can ship a new version. It's our position that relying on all direct dependencies to update is bad practice. Component Governance helps folks identify transitive dependencies that need an update and central package versioning with transitive pinning helps you represent those updates in a way that's not too burdensome on the repository. If you would still like a change in the policy here, you can open a new issue or discussion to track that conversation. I'll reiterate though, that we only control what happens for our packages - and based on the way the ecosystem/NuGet works one must care about transitive dependencies to ensure they are truly patched. |
|
I understand the stance and how taking the opposite approach would be burdensome as there could be many updates necessary all the time. Although there are tools built to solve this problem (see dependabot).
I just think that taking this stance could be too far in the direction of reduced responsibility. It's like selling a car with a flat tire and saying you should be checking all your tires before you take it on the road. It's technically not wrong, but it isn't a great experience for the consumer. I don't disagree that you should be checking transient dependencies, we do just that and that's how i ended up here. I just don't like that we're having to explicitly reference some newer version of a library because of this issue, even though the issue has been long since fixed. I think it could be better. If only there was a way to set a overall project level policy to have nuget resolve the latest minor/patch version of transients... 🤔 |
ghost
locked as resolved and limited conversation to collaborators
Microsoft Security Advisory CVE-2023-29331: .NET Denial of Service vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET when processing X.509 certificates that may result in Denial of Service.
Details: KB5025823
Announcement
Announcement for this issue can be found at dotnet/announcements#257
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
If your application uses the following package versions, ensure you update to the latest version of .NET.
.NET 7
.NET 6
Advisory FAQ
How do I know if I am affected?
If you have a runtime or SDK with a version listed, or an affected package listed in affected software, you're exposed to the vulnerability.
How do I fix the issue?
dotnet --infocommand. You will see output like the following;.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.
Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
CVE-2023-29331
Revisions
V1.0 (June 13, 2023): Advisory published.
Version 1.0
Last Updated 2023-06-13
The text was updated successfully, but these errors were encountered: