You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of .NET Core 1.0 and 1.1. This advisory also provides guidance on what developers can do to update their applications correctly.
Microsoft is aware of a security vulnerability in the public version of .NET Core where a malformed string request could cause an application to crash and lead to a denial of service.
System administrators are advised to update their .NET Core runtimes to versions 1.0.7 and 1.1.4. Developers are advised to update their .NET Core SDK to version 1.1.4.
.NET Core 2.0 is not affected by this issue.
,NET Core 1.x applications are only affected if running on Windows 10 or Windows 2016.
Advisory FAQ
How do I know if I am affected?
Any application running against .NET Core 1.0.6 or lower versions, or 1.1.2 or lower versions is affected. The latest version of the .NET core runtime you have installed in your computer can be listed by running dotnet --info. Running that command produces an output similar to the following:
.NET Command Line Tools (2.0.2)
Product Information:
Version: 2.0.2
Commit SHA-1 hash: a04b4bf512
Runtime Environment:
OS Name: Windows
OS Version: 10.0.16299
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\2.0.2\
Microsoft .NET Core Shared Framework Host
Version : 2.0.0
Build : e8b8861ac7faf042c87a5c2f9f2d04c98b69f28d
As this command only displays the latest version of the runtime installed (or the version set in the global.json file), it may hide the fact that you have a vulnerable runtime. A complete list of runtimes can be discovered by performing a directory listing in the install root directories. The default root directories are listed in the following table:
Each runtime version is installed in its own directory, where the directory name is the version number. If you don't have a directory for 1.0.7 and 1.1.4, then any applications targeting 1.0 or 1.1 of .NET Core are vulnerable.
Also, even if you have a directory for 1.0.7 and 1.1.4 present in your system, if you've deployed self-contained applications targeting the impacted versions, these applications are also vulnerable.
How do I fix my affected application?
Applications can be fixed by installing the latest .NET Core runtimes or SDKs. Typically, application servers only have runtime packages installed and developer machines have the SDKs installed. Installers for the runtimes can be downloaded from the Runtime and SDK download archive. .NET Core 1.1.4 SDK installs both versions 1.0.7 and 1.1.4 of the .NET Core runtime.
If you've built a self-contained application, you must install the new runtime and SDK, recompile your application and redeploy.
What if the update breaks my application?
An application can be pinned to a previous version of the runtime by editing the application.runtime.config file for that application. Set the framework version to the desired version and the rollForward property to false. These settings should be treated as a temporary measure and the application updated to work with the patched versions of the framework.
Since the application.runtime.config file is an optional file, you may need to create one for each application and add it alongside the executable.
Microsoft Security Advisory CVE-2017-8585
Malformed Culture can cause application to crash
Executive Summary
Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of .NET Core 1.0 and 1.1. This advisory also provides guidance on what developers can do to update their applications correctly.
Microsoft is aware of a security vulnerability in the public version of .NET Core where a malformed string request could cause an application to crash and lead to a denial of service.
System administrators are advised to update their .NET Core runtimes to versions 1.0.7 and 1.1.4. Developers are advised to update their .NET Core SDK to version 1.1.4.
Discussion
Use https://github.com/dotnet/corefx/issues/24703 for discussion of this advisory.
Mitigation Factors
.NET Core 2.0 is not affected by this issue.
,NET Core 1.x applications are only affected if running on Windows 10 or Windows 2016.
Advisory FAQ
How do I know if I am affected?
Any application running against .NET Core 1.0.6 or lower versions, or 1.1.2 or lower versions is affected. The latest version of the .NET core runtime you have installed in your computer can be listed by running
dotnet --info
. Running that command produces an output similar to the following:As this command only displays the latest version of the runtime installed (or the version set in the global.json file), it may hide the fact that you have a vulnerable runtime. A complete list of runtimes can be discovered by performing a directory listing in the install root directories. The default root directories are listed in the following table:
Each runtime version is installed in its own directory, where the directory name is the version number. If you don't have a directory for 1.0.7 and 1.1.4, then any applications targeting 1.0 or 1.1 of .NET Core are vulnerable.
Also, even if you have a directory for 1.0.7 and 1.1.4 present in your system, if you've deployed self-contained applications targeting the impacted versions, these applications are also vulnerable.
How do I fix my affected application?
Applications can be fixed by installing the latest .NET Core runtimes or SDKs. Typically, application servers only have runtime packages installed and developer machines have the SDKs installed. Installers for the runtimes can be downloaded from the Runtime and SDK download archive. .NET Core 1.1.4 SDK installs both versions 1.0.7 and 1.1.4 of the .NET Core runtime.
If you've built a self-contained application, you must install the new runtime and SDK, recompile your application and redeploy.
What if the update breaks my application?
An application can be pinned to a previous version of the runtime by editing the application.runtime.config file for that application. Set the framework version to the desired version and the
rollForward
property tofalse
. These settings should be treated as a temporary measure and the application updated to work with the patched versions of the framework.Since the application.runtime.config file is an optional file, you may need to create one for each application and add it alongside the executable.
Acknowledgments
David Fernandez of Sidertia Solutions
External Links
CVE-2017-8585
Sidertia blog on their discovery
Version 1.1
Last Updated 2017-18-10
The text was updated successfully, but these errors were encountered: