Microsoft.AspNetCore DoS vulnerability, how to resolve for .Net Framework projects

[sujit1779]

I have a .Net Web API project targeting .Net Framework 4.6, in this project I have Microsoft.AspNetCore 2.2.0.0 DLL.

I have read that Microsoft.AspNetCore 2.2.0.0 DLL has DoS (Denial of Service) security vulnerability.

#6488

When I look into the recommended resolution it says to upgrade to Version 2.7, now issue is I can't upgrade to 2.7 as highest I can upgraded for .Net Framework is 2.2.0.0 which I already have.

Query:

1. Is this security vulnerability only for apps created by targeting .Net Core and not .Net Framework even though Microsoft.AspNetCore 2.2.0.0 library is used?

2. If first is true, then does it mean I don't have to do anything for this security vulnerability? If not, then what should I do to get over this security concern (given that I can't upgrade Microsoft.AspNetCore to 2.7 in a .Net Framework project)?

[benaadams]

/cc @blowdart

[blowdart]

That CVE is for ANCM, the piece that sites between IIS and Core. As the bulletin says

Install the latest version of the ASP.NET Core Runtime & Hosting Bundle appropriate to the highest version of .NET Core running on your servers.

This has nothing to do with what you target,, or the aspnetcore library you are linking to, just install the latest hosting bundle, which will then upgrade the DLL listed in the bulletin.

[sujit1779]

Thanks Blowdart for clarification.
I have following further queries (sorry to ask dumb questions, I understand .Net Framework better than .Net Core)

My queries are coming from a Scan done on website Sonatype.com, and it is flagging CRITICAL error to my published DLL's, see screenshot below

https://sumerusolutions-my.sharepoint.com/:i:/p/sujit_singh/ESGkPBu9wwpDgHYgkwGO2JABu5G_P2F290dZIp7vijRPmQ?e=6cyGrD

1. None of my projects targets .Net core and all are .Net Framework and they use AspNetCore DLL (2.2.0.0), still I need to update Core Runtime where it is deployed?

2. If answer to Point 1 above is yes, I am not able to understand why I need to apply Core Runtime fix even if the project is of .Net Framework type, will the project not run by .Net Framework CLR then where is core runtime coming into picture for this?

3. As I am not targeting any .Net core (2.1 or 2.2 or 3.0), then which .Net core runtime I have to upgrade and by upgrade do you mean to say I need to install runtime on the deployed machine?

4. Apart from upgrading .Net Runtime, you said to update Hosting Bundle also, now again same query, as my project is not targeting any .Net Core (2.1 or 2.2 or 3.0) then how will I decide which bundle I have to install i.e. for 2.1 or 2.2 or 3.0?

5. I am a developer and looks like I don't have to do any changes to my project, I just need to install the runtime and bundle on the machine where it is deployed, is that so?

6. Our published project has AspNetCore 2.2.0.0 in the directory, so if I just have to install runtime and hosting bundle, how will that local copy of AspNetCore 2.2.0.0 that our directory has will get updated? Or we are doing something wrong in deployment?

I have a critical deployment stalled because of this issue raised by client and I need to provide a solution to it.

Thanks

[blowdart]

You're in a better position than you think :) With 2.1 onward we "roll forward". So if you target 2.1 and install 2.1.1 your code will use 2.1.1 (unless you are pinning your version to an exact version). So just ensure you're targeting 2.1 and you're good. You can also uninstall the older versions just to be doubly sure, and that should appease the scanner.

[sujit1779]

Dear Blowdart, how can I target .Net Core 2.1 as it's a .Net Framework project? That's the whole problem. Solution for the vulnerability says to upgrade aspnetcore to 2.7 which is only possible for Core projects, (max I can upgrade in .net framework project is upto 2.2.0.0 which I have already done and it still throws critical alert in the security scanner) then what will a developer who is using .Net Framework do?

[blowdart]

That I don't know. @Tratcher any pointers here?

[Tratcher]

A) Microsoft.AspNetCore is different from AspNetCore.dll.
B) I don't think there's a 2.7 version of either of them, where are you getting that version?
C) There is a 2.2.1 version of Microsoft.AspNetCore.Server.IISIntegration which may be what your security scan is trying to prompt you about. The 2.2.0 version of this package is pulled in transitively by Microsoft.AspNetCore, so that's likely why Microsoft.AspNetCore is showing as vulnerable even though there's no later version. You can address this by adding a direct dependency on Microsoft.AspNetCore.Server.IISIntegration v2.2.1. @jkotalik any idea what's in 2.2.1? I can't find any work items.

[blowdart]

Also if you mean the Microsoft.AspNetCore.All metapackage you update that in your project.json, then recompile and republish.

[sujit1779]

Tratcher and BLowdart thanks for your inputs. Let me clarify it a bit more from start so that there isn't any confusion

1. I have a .Net Web API project which targets .Net framework 4.6 and this project uses Microsoft.AspNetCore 2.2.0 . See screenshot below

Project Target Type screenshot

Project References Screenshot

Microsoft.AspNetCore properties

2. When we scan the binaries of the published project using Sonatype.com, it is giving critical error for Microsoft.AspNetCore 2.2.0 and Microsoft.AspNetCore.Server.IISIntegration 2.2.0 and also pointing to CVE-2019-0548 and CVE-2019-0815 vulnerability. See screenshot links below

Sonatype scan vulnerability Policy violation screenshot

Sonatype scan vulnerability security issue screenshot

3. Now to resolve this issue, we are following Microsoft recommendation and they are saying to update to Microsoft.AspNetCore.App metapackage 2.2.7

https://www.nuget.org/packages/Microsoft.AspNetCore.App

Now this metapackage is for .Net Core projects and can't be downloaded for .Net Framework project that I am using.

Microsoft.AspNetCore.App dependency screenshot

Now how will I resolve this security issue?

Thanks

[Tratcher]

Now to resolve this issue, we are following Microsoft recommendation and they are saying to update to Microsoft.AspNetCore.App metapackage 2.2.7

Where did you see that? It's not listed in #6488 (CVE-2019-0548) or #9205 (CVE-2019-0815). The stated fix in both cases it so "Install the latest version of the ASP.NET Core Runtime & Hosting Bundle". The hosting bundle will get you a new global version of AspNetCore.dll.

Those Sonatype warnings are misleading, there's no relation between Microsoft.AspNetCore and these CVEs.

[sujit1779]

Now to resolve this issue, we are following Microsoft recommendation and they are saying to update to Microsoft.AspNetCore.App metapackage 2.2.7

Where did you see that? It's not listed in #6488 (CVE-2019-0548) or #9205 (CVE-2019-0815). The stated fix in both cases it so "Install the latest version of the ASP.NET Core Runtime & Hosting Bundle". The hosting bundle will get you a new global version of AspNetCore.dll.

Those Sonatype warnings are misleading, there's no relation between Microsoft.AspNetCore and these CVEs.

For issue CVE-2019-0548, this page is given

aspnet/Announcements#335

When we go to this url, it gives three option

Install the latest version of the ASP.NET Core Runtime & Hosting Bundle appropriate to the highest version of .NET Core running on your servers.

Hosting Bundle for ASP.NET Core applications up to v2.2
Hosting Bundle for ASP.NET Core applications up to v2.1
Hosting Bundle for ASP.NET Core applications up to v1.1

Now when I click for option v2.2, it shows instructions to download 2.2.7
https://dotnet.microsoft.com/download/dotnet-core/2.2

1. Now any options given in that page, none I can apply as my project type is .Net Framework not .Net Core, that's why I am stuck.

2. Client is a reputed bank customer so I need to give him concrete evidence if I have to ignore these warnings and convince him it's not applicable for our case, how can I do that?

[blowdart]

Well you can point to https://www.nuget.org/packages/Microsoft.AspNetCore/ showing there is no 2.2.7 version of this package. You can point to this giithub issue. And if worst comes to worst I can put my Security PM hat on and write an email.

And again, the hosting bundles DO apply to your situation. You should still install the latest version because that will address the specific CVE you started with,

[Tratcher]

The confusion here is that there's a single installer that includes both AspNetCoreModule.dll (a generic hosting component that applies to .NET Framework and .NET Core apps), as well as installing the ASP.NET Core runtime. You do require an updated AspNetCoreModule.dll to address these CVEs so install the latest hosting bundle. There are variables you can set to suppress the runtime install.
https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/index?view=aspnetcore-3.0#install-the-net-core-hosting-bundle
https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/index?view=aspnetcore-3.0#install-the-hosting-bundle

[jkotalik]

I think Microsoft.AspNetCore.Server.IISIntegration was revved to 2.2.1 purely because ANCM was patched. I don't think it needed to increase in version at all.

[sujit1779]

I am a bit confused now. What action do I need to take at my end (given that my project is of type .Net Framework). Do I have to do the following only?

1. Install latest .Net Core runtime on the deployment machine
2. Install Hosting Bundle on the deployment machine.

How will the above two steps take care of the Microsoft.AspNetCore 2.2.0 DLL security flaw that gets added to the published folder?

Thanks

[blowdart]

What do you mean by " the Microsoft.AspNetCore 2.2.0 DLL security flaw that gets added to the published folder"

Do you mean the Microsoft.AspNetCore.dll file?

[sujit1779]

Yes, Sonatype.com is flagging security issue with Microsfot.AspNetCore.dll 2.2.0. I am again attaching screenshot of the same.

I only want to get rid of this security warning that is coming up for my .Net Framework project.

[blowdart]

If it that is still appearing after you have installed the latest hosting bundle then sonatype has a false positive. There's nothing in that file except for the webhost class.

Presumably whomever owns the sonatype license has a support contract, I would take that route and point them to this thread,

[sujit1779]

Blowdart to clarify, Sonatype.com website takes ZIP folder as input which we provide by zipping the PUBLISHED folder (after clicking on publish on visual studio). Now as Sonatype takes ZIP input, how will it get to know about the .Net Core or hosting bundle which will be installed on the deployed machine (here I will make a point that I will do this exercise even though the project type is .Net framework)

Here is the Sonatype url for app scanning
https://www.sonatype.com/appscan-upload

And I am attaching a sample ZIP file which it flags as issue
Publish_with_aspnetcore_.netFramework.zip

[blowdart]

That doesn't change my point. Sonatype is wrong in this case.

[sujit1779]

Thanks Blowdart for your quick responses. I will abide by your suggestions of installing .Net Core latest runtime and Hosting bundle and assume no change in code is needed (i.e. I need not change from .Net Framework type to .Net core type so that I can use Metapackage 2.7, etc).
Will get back to you if the client still objects.

1. One query, I am not able to understand, suppose there is some issue with Microsoft.AspNetCore 2.2.0 and we deploy our code (.Net Framework type) in a folder which has this DLL and upgrade our runtime and hosting bundle.
   But our project will still use this local copy of Microsoft.AspNetCore 2.2.0 DLL, how come Core Runtime installation and Hosting bundle bypass this issue? Is it like, hosting bundle / or .Net Core runtime will do something at their end to take care of this flaw from that existing dll?

2. Is .Net core runtime called for a project type of .Net Framework, I always thought a .Net Framework project type is always executed by .Net Framework and never by a .Net Core runtime, can you tell me if I am wrong here?
   Thanks

[blowdart]

The hosting bundle is needed to address the CVE you linked.

If you target Core rather than framework then you'd be better off, as the runtime will hoist versions up. Unfortunately if you target Framework you don't get this.

I believe you still need ANCM regardless of what you target, @jkotalik is that correct?

[sujit1779]

Here is the link for Runtime and Hosting bundle 2.7, I will install that and restart IIS. This should take care of the issue raised even if the Sonatype.com website is showing error, right?

https://dotnet.microsoft.com/download/thank-you/dotnet-runtime-2.2.7-windows-hosting-bundle-installer

Unfortunately I can't change my project from .Net Framework to .Net Core, may be in future we will do it because of lots of rework. But this activity is not needed to resolve this issue, right?

Do I need to do anything for ANCM, I don't understand this? Or I need not bother on this for my issue?

[blowdart]

The latest hosting bundle will patch ANCM.

[sujit1779]

Thanks Blowdart.

Can you help me with 1 more queries?

1. Unfortunately I can't change my project from .Net Framework to .Net Core, may be in future we will do it because of lots of rework. But this activity is not needed to resolve this issue, right?

[blowdart]

Correct. When updates happen what you will need to do is check your project.json and update the nuget package versions according to the bulletin.

[sujit1779]

Thanks Barry, I will get back to you on this if I have further queries. Appreciate your help on this.

[ghost]

Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.

This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!