-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft Security Advisory CVE-2022-30184 | .NET Information Disclosure Vulnerability #11883
Comments
It seems really unclear on what the impact is here. 'if you have a nuget package...then you are affected'. If that is the case then do we need to republish all historical nuget packages that were created using the affected versions? |
@mungojam It should say "in the affected versions". Does that help bring clarity? The GitHub advisory will also help with version ranges. Here is the GitHub reviewed advisory too as of an hour ago: |
Does this also affect NuGet bundled with Mono? (dependency of Visual Studio for Mac and VSCode OmniSharp) Edit: Seems so; https://github.com/mono/mono/releases/tag/mono-6.12.0.182 |
I had assumed that, but it's useful to add. My query is more about the resolution. If we have built many nuget packages and packages versions with the affected versions, should we need to republish all of those nuget package versions? The implication is yes but it only says to update your version of nuget/.net SDK, not about republishing old versions. |
Sorry I'm struggling to articulate my questions. Here are a few more related ones:
|
The most important part of the fix in NuGet 6.2.1 seems to be NuGet/NuGet.Client@ec6e62a#diff-9e678e6dcc29381eb7c564f0e75ffc3ffc35458eca412c35b6404340b698d074R58-R65. If you used NuGet (e.g. Anyway, if you suspect your credential might have leaked, it would be more prudent to replace the credential than republish the packages. |
@KalleOlaviNiemitalo that's helpful to know if it is 'nuget push' that is affected, not 'nuget pack'. We don't have nuget.org credentials so those won't be leaked, however it's not clear if GitHub packages credentials could also have been leaked (the advisory only mentions nuget.org credentials but it seems logical that any nuget server credentials might be leaked) |
To expand on the vulnerability (we don't go into details on CVEs, hence the confusion here, and everyone defers to me on whether details need to be shared, hence the delay in a response.) The problem would have occured when you publish a package to nuget.org using any of the affected nuget clients. It is limited to nuget.org api credentials and doesn't affect github or azdo credentials. It is only the pushing operation that could expose api credentials, nothing gets dropped into your nupkgs, you don't have to rebuild packages or republish. If you're concerned, rotate your api credentials and look at your published packages and make sure you recognise all of them. We haven't detected any attacks, but you never know. I hope this is enough detail @mungojam, if it's not please tag me in a response. |
Was this issue discovered by someone specifically looking for vulnerabilities, or by someone working on the code for other purposes? |
As part of a variant analysis |
It seems there is a breaking change in NuGet 6.0.2/.NET SDK 6.0.301 where the nuget.config setting "globalPackagesFolder" isn't being used. |
OK so turns out it's not finding the 6.0.6 runtime. If I clear the package sources the error message is pretty clear. If I change the runtime to 6.0.5 and check in those runtime binaries it works - but I don't want to specify a version of the runtime to use. Was this runtime package mistakenly left out of SDK 6.0.301? |
Changelog: Mono 6.12.0.182 Release Notes Highlights Fix for NuGet security issue NuGet/Home#11883 Various bugfixes Mono 6.12.0.174 Release Notes Highlights Various bugfixes Resolved Issues 19395 Ensure generic parameter constraint type is included when building image 19434 [metadata] Handle MONO_TYPE_FNPTR case in collect_type_images 20218 Trying to open a pseudo-tty throws an exception · Issue #20218 · mono/mono · GitHub</title> 20219 Ignore EINVAL errors on ioctl TIOCMGET/TIOCMSET 20909 [2020-02] Backport Apple silicon support 20918 [2020-02][marshal] Fix VARIANT and BSTR marshaling in structs 20978 [2020-02] Fix the System.String.Replace throwing NotImplementedException 20983 [2020-02] Bump msbuild, roslyn and nuget 20986 [2020-02] Backport r4-conv-i fixes 21006 [2020-02][arm64] Fix wrong marshalling in gsharedvt transition 21018 [2020-02] bump corefx 21029 [2020-02][System.Native] Handle ReadDir EINTR 21042 [2020-02][MonoIO] Wrap calls to open() in EINTR handling 21053 [2020-02] Fix leak in assembly-specific dllmap lookups 21073 [2020-02][MSBuild] Update to vs16.10 branch 21116 [2020-02] Fix memory leak during data registration (#21107) 21126 [2020-02] Start a dedicated thread for MERP crash reporting 21142 [mono] Fix race during mono_image_storage_open 21186 [2020-02][mini] Add GC Unsafe transitions in mono_pmip 21190 2020 02 backport metadata fixes 21195 [2020-02] Adding null check to avoid abort when invalid IL is encountered 21196 [2020-02] [Mono.Profiler.Aot] Write true string wire length 21201 [2020-02] Ignore inherit param for ParameterInfo.GetCustomAttributes 21203 Trying to open a pseudo-tty throws an exception on 5.13+ Linux kernels · Issue #21203 · mono/mono · GitHub</title> 21205 [2020-02][linux] Some pseudo-tty fixes 21209 [2020-02] [mini] Don’t add unbox tramopline on generic DIM calls 21218 [MacSDK] Add F# targets to VisualStudio/v17.0 directory 21225 [2020-02][aot] Don’t leak unbox trampolines 21240 Revert “[2020-02] Start a dedicated thread for MERP crash reporting (#21126)” 21261 Allow nfloat to be in the ObjCRuntime namespace, and make it work for Xamarin.MacCatalyst.dll as well. 21309 [2020-02] [aot] Prepend the assembly name to the names of gsharedvt wrappers to avoid duplicate symbol errors during static linking. 21351 [2020-02] Adds full path to libcairo for correct assembly directory resolution in monterey 21366 [2020-02] [cominterop] Add coop handle enter/return on native CCW methods 21391 [2020-02] transform sgen_get_descriptor to parallel safe version in job_major_mod_union_preclean 21395 [2020-02][interp] Remove hack for nint/nfloat 21407 [2020-02] Add missing handle function enter/return macros 21419 [2020-02] [AOT] Use .short directive instead of .hword 21420 [2020-02] Avoid an assert in ves_icall_RuntimeFieldInfo_SetValueInternal 21422 [2020-02] vtable setup fix for generic default interface methods in mono runtime 21431 [2020-02] [Tools] Fix mono-api-html MarkdownFormatter.cs to avoid a NRE 21433 [Android] Workaround for invalid return value from clock_nanosleep 21435 [2020-02][Android] Workaround for invalid return value from clock_nanosleep 21452 [2020-02] [AOT] Don’t set the ‘CorrectedSynthesize’ flag in the objc_imageinfo section. 21453 [2020-02][cominterop] Fix CCW memory leak 21460 [2020-02] Use upstream zlib 1.2.12 21471 [2020-02] [mono] Remove some of the restrictions on constrained calls from gsha… 21475 [2020-02] Bump corefx to get MaxResponseHeadersLength fix
I just found this via microsoft/vstest#4409. It seems like the affected reference was https://www.nuget.org/packages/NuGet.Frameworks/5.11.0. This will be even more important starting with .NET 8 when |
Microsoft Security Advisory CVE-2022-30184 | .NET Information Disclosure Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET Core 3.1, NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat version range from 3.5.0 to 6.2.0). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET 6.0, .NET Core 3.1, and NuGet clients (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat version range from 3.5.0 to 6.2.0) where a nuget.org credential could be leaked.
Discussion
Announcement for this issue can be found at NuGet/Announcements#62
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
NuGet & NuGet Packages
GitHub Advisory
.NET SDK(s)
How do I know if I am affected?
If you have a NuGet.exe, NuGet package, or .NET SDK with a version listed in affected software, you're exposed to the vulnerability.
How do I fix the issue?
To fix the issue, please install the latest version of .NET 6.0 or .NET Core 3.1 and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat version 4.9.5, 5.7.2, 5.9.2, 5.11.2, 6.0.2, 6.2.1). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
You can get the version of NuGet.exe by running the
nuget
command. You should see an output like the following:If you're using NuGet.exe 6.2.0 or lower, you should download and install 6.2.1 from https://dist.nuget.org/win-x86-commandline/v6.2.1/nuget.exe.
If you're using NuGet.exe 6.0.1 or lower, you should download and install 6.0.2 from https://dist.nuget.org/win-x86-commandline/v6.0.2/nuget.exe.
If you're using NuGet.exe 5.11.1 or lower, you should download and install 5.11.2 from https://dist.nuget.org/win-x86-commandline/v5.11.2/nuget.exe.
If you're using NuGet.exe 5.9.1 or lower, you should download and install 5.9.2 from https://dist.nuget.org/win-x86-commandline/v5.9.2/nuget.exe.
If you're using NuGet.exe 5.7.1 or lower, you should download and install 5.7.2 from https://dist.nuget.org/win-x86-commandline/v5.7.2/nuget.exe.
If you're using NuGet.exe 5.2.0 or lower, you should download and install 5.2.1 from https://dist.nuget.org/win-x86-commandline/v5.2.1/nuget.exe.
If you're using NuGet.exe 4.9.4 or lower, you should download and install 4.9.5 from https://dist.nuget.org/win-x86-commandline/v4.9.5/nuget.exe.
You can list the versions you have installed by running the
dotnet --info
command. You should see an output like the following:If you're using .NET Core 6.0, you should download and install Runtime 6.0.6 or SDK 6.0.106 (for Visual Studio 2022 v17.0) or SDK 6.0.301 (for Visual Studio 2022 v17.2) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.26 or SDK 3.1.420 (for Visual Studio 2019 v16.9 or Visual Studio 2011 16.11 or Visual Studio 2022 17.0 or Visual Studio 2022 17.1) from https://dotnet.microsoft.com/download/dotnet-core/3.1
.NET 6.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.
Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 5 or .NET 6.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repo is located at https://github.com/NuGet/NuGet.Client. The Announcements repo will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
CVE-2022-30184
Revisions
V1.0 (June 14, 2022): Advisory published.
Version 1.0
Last Updated 2022-06-14
The text was updated successfully, but these errors were encountered: