[Discussion] Microsoft Security Advisory CVE-2018-0764: Denial of Service when parsing XML documents #24620
Labels
area-System.Xml
documentation
Documentation bug or enhancement, does not impact product or test code
Security
Milestone
Comments
|
You may want to correct the .NET runtime version mentioned under "How do I know if I am affected?" section:
I believe you meant to say 2.0.5 instead of 2.0.2. |
|
@blowdart how long do we keep such issues open? Should we create some doc instead perhaps? |
|
Up to you lot, it's your repo. I'd leave the announcement never closed of course. |
ghost
locked as resolved and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Microsoft Security Advisory CVE-2018-0764
Denial of Service when parsing XML documents
Executive Summary
Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of .NET Core 1.0 and 1.1, and 2.0. This advisory also provides guidance on what developers can do to update their applications correctly.
Microsoft is aware of a Denial of Service vulnerability in all public versions of .NET core due to improper processing of XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.
The update addresses the vulnerability by correcting how .NET core handles XML document processing.
System administrators are advised to update their .NET Core runtimes to versions 1.0.9, 1.1.6 and 2.0.5. Developers are advised to update their .NET Core SDK to version 2.1.4 or 1.1.7. These runtime and SDK versions will also address CVE-2018-0786.
Announcement
The original announcement can be found at dotnet/announcements#52
Affected Software
The vulnerability affects any Microsoft .NET Core project if it uses any of affected runtime versions listed below
Advisory FAQ
How do I know if I am affected?
To check the runtimes installed on a computer you must view the contents of the runtime folder. By default these are
Each runtime version is installed in its own directory, where the directory name is the version number. If you do not have a directory for 1.0.9, 1.1.6 or 2.0.2 then any applications targeting .NET Core will be vulnerable. Downloads for all supported platforms can be acquired from https://www.microsoft.com/net/download/
How do I fix my affected application?
Applications can be fixed by installing the latest runtimes or SDKs. Typically application servers only install a runtime package, developer machines install SDKs. Installers can be downloaded from the Runtime and SDK download archive. Runtime version 1.1.6 will also install runtime version 1.0.9.
If you have built a self-contained application you must install the new runtime and SDK, recompile your application and redeploy.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET Core, please email details to [email protected]. Reports may qualify for the .NET Core Bug Bounty. Details of the .NET Core Bug Bounty including Terms and Conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET Core or ASP.NET Core organizations. These are located at https://github.com/dotnet/ and https://github.com/aspnet/. The Announcements repo for each product (https://github.com/dotnet/Announcements and https://github.com/aspnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.
What if the update breaks my application?
An application can be pinned to a previous version of the runtime by editing the application.runtime.config file for that application and editing the framework version and setting
rollForwardtofalse. This should be treated as a temporary measure and the application updated to work with the patched versions of the framework.Note that this file is optional, you may need to create it for each application alongside the executable.
External Links
CVE-2018-0764
Revisions
V1.0 (Jan 9, 2018): Advisory published.
Version 1.0
Last Updated 2018-01-09
The text was updated successfully, but these errors were encountered: