Microsoft Security Advisory CVE-2021-26701 | .NET Core Remote Code Execution Vulnerability #49377
Comments
dotnet-issue-labeler
bot
added
area-Meta
untriaged
|
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701#securityUpdates seems a little strange...
|
|
Assuming this affects anyone running asp.net core 2.1 apps on full framework? Will updated dependent packages be released referencing the fixed version? |
=merge= dotnet/runtime#49377 -> remote code execution!
=merge= dotnet/runtime#49377 -> remote code execution!
$ dotnet --list-runtimes
Microsoft.AspNetCore.App 3.1.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp3.1</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="System.Text.Encodings.Web" Version="4.6.0" />
</ItemGroup>
</Project>$ dotnet list package --vulnerable
The following sources were used:
https://api.nuget.org/v3/index.json
The given project `VulnerableApp` has no vulnerable packages given the current sources
Shouldn't the new .NET 5 SDK feature Or is this the scenario where the runtime hijacks and uses a runtime version of said package instead of what is defined in csproj, and hence not reporting it? |
|
Hi @johnkors --the issue here is that there are no package vulnerabilities registered on GitHub for this CVE: https://github.com/advisories?query=CVE-2021-26701 [I've edited this comment down to something simpler because some of the finer points are still under discussion, but essentially this is why you don't see the advisory in the CLI--because it's not presented in GitHub] |
|
So basically there is a delay going between these stages:
Thanks, @drewgillies ! |
|
You're welcome! Hopefully we'll have something in place soon. |
|
This announcement is a bit confusing... In the executive summary it mentions only ".NET 5.0, .NET Core 3.1, and .NET Core 2.1", then in the "Affected software" you mention "Any .NET 5, .NET Core, or .NET Framework based application". Why was ".NET Framework" added in the "Affected software" section? Does this mean that .NET Framework applications are also vulnerable or only .Net Core Applications that target the .NET Framework? |
|
A couple of things might need some clarifying.
and later on:
We could clarify that Framework is fixed via NuGet package update and deploy. Then Core is just the runtime update and restart? I'm sure there are probably scenarios where Core applications are pulling the NuGet in directly too. EDIT Apologies for some repetition. Wrote this then went into a meeting without adding comment and missed @miguelcrpinto comment. |
Yes, this is the understanding that @blowdart and @GrabYourPitchforks have provided on Twitter. .NET Fx = upgrade NuGet Package https://twitter.com/LeviBroderick/status/1369478430002081793 |
|
Ahh good, now the understanding is here too. Just need the advisory itself updated :) |
Doesn't that only work if you already had a direct reference to this specific package, not if it was brought in as a transitive dependency of something like microsoft.aspnetcore? Edit: it does. Would be extremely helpful if this and future CVE could include the same sort of remediation steps that dotnet/aspnetcore#18336 does for those exposed to this because of a transitive dependency. This seems to be exactly the situation NuGet/Home#5887 was talking about |
|
Hi all - thanks for the feedback. This has jumpstarted some discussions internally between the .NET security team, the release management team, and representatives from NuGet. In particular, we're discussing: (a) if we should wordsmith the advisory text to clarify the distinction between applications targeting .NET Core and non-Core applications which have manually pulled in this package; and (b) if we can get plugged in to the GitHub and NuGet scans for vulnerable package versions. There's nothing to announce right now because these are early conversations, and I don't want to make any promises. But if something does come from these discussions, it'll be a direct result of the feedback you all have provided. |
|
@GrabYourPitchforks thank you, could I also suggest a CLI update that (like npm audit) checks if you are still vulnerable; as while the advice is to update the runtime, I’m unclear if packages that I may have which have a dependency also need to be updated (which may not be possible if they have no updates yet). A CLI check to say “everything is good” would be great. |
|
@Plasma We're(NuGet) working on it and will have more to share soon. Thanks for your patience. |
|
It looks like the issue is fixed in SDK 3.1.407 but the release notes on the announcements repo reference SDK 3.1.406. We just installed the wrong SDK until we realised - can we get this fixed up? |
|
Hello @deanward81 I have fixed the issue now.
|
|
This security violation for System.Text.Encodings.Web affects package Microsoft.AspNetCore.Diagnostics with not remediation options at this time that I'm aware of. Users leveraging your Health Checks have no options for their applications at this time it seems. System.Text.Encoding.Web 4.5.0 is a transitive depends for Microsoft.AspNetCore.Diagnostics 2.2.0 (the latest version). Is there any way around this CVE at this time or is there a fix coming? Please advise. Thank you. |
|
@dnbr2002 It should be possible to update the System.Text.Encodings.Web package manually within your application. Or, if your application is running on ASP.NET Core 2.1, download the updated SDK https://dotnet.microsoft.com/download/dotnet/2.1 and you should receive the fix automatically without needing to change your package references. Please note: The 2.2.x runtime and 2.2.x wave of packages are out of support and are not receiving updates. The current supported runtime versions and package waves are 2.1.x, 3.1.x, and 5.0.x. See the red header at the top of https://dotnet.microsoft.com/download/dotnet/2.2 for more information on 2.2's end-of-life. |
|
@GrabYourPitchforks we have downloaded the latest sdk for 3.1.407 and run builds in our pipeline with it but it does not update the reference I have for Microsoft.AspNetCore.Diagnostics explicitly in my csproj. That one remains with the transitive depends of System.Text.Encodings.Web at 4.5.0 even with the 3.1.407 sdk. |
|
@dnbr2002 Did you try adding an explicit reference to <PackageReference Include="Microsoft.AspNetCore.Diagnostics" Version="2.2.0" />
+ <PackageReference Include="System.Text.Encodings.Web" Version="5.0.1" /> |
|
@johnkors I did based on the recommends in this thread but it doesn't update the transitive depends in |
|
Hello! |
|
Which docker image? |
|
Which tag though? eg can you paste your docker command? |
|
I run scan with Trivy, after building nuget packages via SDK. I use 6.0-focal tag. |
|
@jeffhandley could someone on your team pull this image and see why a scanner is indicating it has a vulnerable System.Text.Encodings.Web? |
|
It's even an issue in .NET 7. |
Hmm, you shouldn't need to reference the Microsoft.AspNetCore.Http.Abstractions NuGet package in .NET 7, unless the project that needs it is targeting netstandard2.x?. If you need that namespace in a project that isn't an ASPNET-based one, add a FrameworkReference to it. |
|
@snickler We have a fairly empty solution with a few projects. Each project targets |
Which direct NuGet Packages are being referenced, if you don't mind me asking? I'm wondering if something you're referencing is referencing AspNetCore.Http.Abstractions transitively when it shouldn't |
I have the same issue, and if I search for System.Text.Encodings.Web there are two references <4.5.1 and Where is "Microsoft.AspNetCore.Http": "2.1.22" referenced? Seems to come from the package ApplicationInsights AspNetCore: What should I do? |
|
@snickler Sorry for taking that long to reply, I don't have a direct access to the source code that has this issue. private readonly RequestDelegate _next;
|
|
Hi
|
|
@DibyaRanjan1, the vulnerable System.Text.Encodings.Web dependency seems to have been fixed in Microsoft.IdentityModel.Protocols.OpenIdConnect 6.26.0. See AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1985, AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1997. |
|
@KalleOlaviNiemitalo, Thank you. I have updated the dependency to 6.26.0. |
|
Hi, Dependency tree: Microsoft.NET.Sdk.Functions@4.1.1 › Microsoft.Azure.WebJobs.Extensions.Http@3.0.2 › Microsoft.AspNetCore.Http@2.1.0 › Microsoft.AspNetCore.Http.Abstractions@2.1.0 › System.Text.Encodings.Web@4.5.0 You can find in the attached SNYK screenshot the relevant information.
Thank you |
ghost
locked as resolved and limited conversation to collaborators
and others
Microsoft Security Advisory CVE-2021-26701 | .NET Core Remote Code Execution Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0, .NET Core 3.1, and .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A remote code execution vulnerability exists in .NET 5 and .NET Core due to how text encoding is performed.
Announcement
Announcement for this issue can be found at dotnet/announcements#178
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
The vulnerable package is System.Text.Encodings.Web . Upgrading your package and redeploying your app should be sufficient to address this vulnerability.
Vulnerable package versions:
Any .NET 5, .NET Core, or .NET Framework based application that uses the System.Text.Encodings.Web package with a vulnerable version listed below.
4.6.0-4.7.1
5.0.0
4.7.2
5.0.1
Please validate that each of the .NET versions you are using is in support. Security updates are only provided for supported .NET versions.
How do I know if I am affected?
If you have a runtime or SDK with a version listed in affected software, you're exposed to the vulnerability.
How do I fix the issue?
To fix the issue, please install the latest version of .NET 5.0, .NET Core 3.1 or .NET Core 2.1. If you have installed one or more .NET Core SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET Core SDKs.
You can list the versions you have installed by running the
dotnet --infocommand. You should see an output like the following:If you're using .NET 5.0, you should download and install Runtime 5.0.4 or SDK 5.0.104 (for Visual Studio 2019 v16.8) from https://dotnet.microsoft.com/download/dotnet-core/5.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.13 or SDK 3.1.113 (for Visual Studio 2019 v16.4) or 3.1.407 (for Visual Studio 2019 v16.5 or later) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
If you're using .NET Core 2.1, you should download and install Runtime 2.1.26 or SDK 2.1.522 (for Visual Studio 2019 v15.9) or 2.1.814 from https://dotnet.microsoft.com/download/dotnet-core/2.1.
.NET 5.0, .NET Core 3.1 and .NET Core 2.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.
Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET Core or .NET 5, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
CVE-2021-26701
Revisions
V1.0 (March 09, 2021): Advisory published.
Version 1.0
Last Updated 2021-03-09
The text was updated successfully, but these errors were encountered: