-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft.AspNetCore DoS vulnerability, how to resolve for .Net Framework projects #15423
Comments
/cc @blowdart |
That CVE is for ANCM, the piece that sites between IIS and Core. As the bulletin says Install the latest version of the ASP.NET Core Runtime & Hosting Bundle appropriate to the highest version of .NET Core running on your servers. This has nothing to do with what you target,, or the aspnetcore library you are linking to, just install the latest hosting bundle, which will then upgrade the DLL listed in the bulletin. |
Thanks Blowdart for clarification. My queries are coming from a Scan done on website Sonatype.com, and it is flagging CRITICAL error to my published DLL's, see screenshot below
I have a critical deployment stalled because of this issue raised by client and I need to provide a solution to it. Thanks |
You're in a better position than you think :) With 2.1 onward we "roll forward". So if you target 2.1 and install 2.1.1 your code will use 2.1.1 (unless you are pinning your version to an exact version). So just ensure you're targeting 2.1 and you're good. You can also uninstall the older versions just to be doubly sure, and that should appease the scanner. |
Dear Blowdart, how can I target .Net Core 2.1 as it's a .Net Framework project? That's the whole problem. Solution for the vulnerability says to upgrade aspnetcore to 2.7 which is only possible for Core projects, (max I can upgrade in .net framework project is upto 2.2.0.0 which I have already done and it still throws critical alert in the security scanner) then what will a developer who is using .Net Framework do? |
That I don't know. @Tratcher any pointers here? |
A) Microsoft.AspNetCore is different from AspNetCore.dll. |
Also if you mean the Microsoft.AspNetCore.All metapackage you update that in your project.json, then recompile and republish. |
Tratcher and BLowdart thanks for your inputs. Let me clarify it a bit more from start so that there isn't any confusion
Project Target Type screenshot Microsoft.AspNetCore properties
Sonatype scan vulnerability Policy violation screenshot Sonatype scan vulnerability security issue screenshot
https://www.nuget.org/packages/Microsoft.AspNetCore.App Now this metapackage is for .Net Core projects and can't be downloaded for .Net Framework project that I am using. Microsoft.AspNetCore.App dependency screenshot Now how will I resolve this security issue? Thanks |
Where did you see that? It's not listed in #6488 (CVE-2019-0548) or #9205 (CVE-2019-0815). The stated fix in both cases it so "Install the latest version of the ASP.NET Core Runtime & Hosting Bundle". The hosting bundle will get you a new global version of AspNetCore.dll. Those Sonatype warnings are misleading, there's no relation between Microsoft.AspNetCore and these CVEs. |
For issue CVE-2019-0548, this page is given When we go to this url, it gives three option
Now when I click for option v2.2, it shows instructions to download 2.2.7
|
Well you can point to https://www.nuget.org/packages/Microsoft.AspNetCore/ showing there is no 2.2.7 version of this package. You can point to this giithub issue. And if worst comes to worst I can put my Security PM hat on and write an email. And again, the hosting bundles DO apply to your situation. You should still install the latest version because that will address the specific CVE you started with, |
The confusion here is that there's a single installer that includes both AspNetCoreModule.dll (a generic hosting component that applies to .NET Framework and .NET Core apps), as well as installing the ASP.NET Core runtime. You do require an updated AspNetCoreModule.dll to address these CVEs so install the latest hosting bundle. There are variables you can set to suppress the runtime install. |
I think Microsoft.AspNetCore.Server.IISIntegration was revved to 2.2.1 purely because ANCM was patched. I don't think it needed to increase in version at all. |
I am a bit confused now. What action do I need to take at my end (given that my project is of type .Net Framework). Do I have to do the following only?
How will the above two steps take care of the Microsoft.AspNetCore 2.2.0 DLL security flaw that gets added to the published folder? Thanks |
What do you mean by " the Microsoft.AspNetCore 2.2.0 DLL security flaw that gets added to the published folder" Do you mean the Microsoft.AspNetCore.dll file? |
If it that is still appearing after you have installed the latest hosting bundle then sonatype has a false positive. There's nothing in that file except for the webhost class. Presumably whomever owns the sonatype license has a support contract, I would take that route and point them to this thread, |
Blowdart to clarify, Sonatype.com website takes ZIP folder as input which we provide by zipping the PUBLISHED folder (after clicking on publish on visual studio). Now as Sonatype takes ZIP input, how will it get to know about the .Net Core or hosting bundle which will be installed on the deployed machine (here I will make a point that I will do this exercise even though the project type is .Net framework) Here is the Sonatype url for app scanning And I am attaching a sample ZIP file which it flags as issue |
That doesn't change my point. Sonatype is wrong in this case. |
Thanks Blowdart for your quick responses. I will abide by your suggestions of installing .Net Core latest runtime and Hosting bundle and assume no change in code is needed (i.e. I need not change from .Net Framework type to .Net core type so that I can use Metapackage 2.7, etc).
|
The hosting bundle is needed to address the CVE you linked. If you target Core rather than framework then you'd be better off, as the runtime will hoist versions up. Unfortunately if you target Framework you don't get this. I believe you still need ANCM regardless of what you target, @jkotalik is that correct? |
Here is the link for Runtime and Hosting bundle 2.7, I will install that and restart IIS. This should take care of the issue raised even if the Sonatype.com website is showing error, right? Unfortunately I can't change my project from .Net Framework to .Net Core, may be in future we will do it because of lots of rework. But this activity is not needed to resolve this issue, right? Do I need to do anything for ANCM, I don't understand this? Or I need not bother on this for my issue? |
The latest hosting bundle will patch ANCM. |
Thanks Blowdart. Can you help me with 1 more queries?
|
Correct. When updates happen what you will need to do is check your project.json and update the nuget package versions according to the bulletin. |
Thanks Barry, I will get back to you on this if I have further queries. Appreciate your help on this. |
Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue. This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue! |
I have a .Net Web API project targeting .Net Framework 4.6, in this project I have Microsoft.AspNetCore 2.2.0.0 DLL.
I have read that Microsoft.AspNetCore 2.2.0.0 DLL has DoS (Denial of Service) security vulnerability.
#6488
When I look into the recommended resolution it says to upgrade to Version 2.7, now issue is I can't upgrade to 2.7 as highest I can upgraded for .Net Framework is 2.2.0.0 which I already have.
Query:
Is this security vulnerability only for apps created by targeting .Net Core and not .Net Framework even though Microsoft.AspNetCore 2.2.0.0 library is used?
If first is true, then does it mean I don't have to do anything for this security vulnerability? If not, then what should I do to get over this security concern (given that I can't upgrade Microsoft.AspNetCore to 2.7 in a .Net Framework project)?
The text was updated successfully, but these errors were encountered: