[Announcement] [Discussion] Microsoft Security Advisory CVE-2017-8585 : Malformed Culture can cause application crash #23876
Comments
|
Is this related to HTTP requests parsing? Or does it impact other things (eg, console apps)? |
|
That's the one. So mainly it's an ASP.NET problem if you turn localization on, because we take user input to create the culture, and the underlying OS API had changed. If you're doing the same sort of thing in your console apps you'd also be vulnerable, but that'd be a pretty weird thing to do. |
|
I'm a bit confused... Also the official CVE database also only mentions .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7. And... Is this only an issue in Windows 10 and Server 2016? Microsoft Security Tech Center article for this issue only mentions these versions of Windows . Can you please clarify? Thanks |
|
The CVE should be in the process of being updated. It does affect Core 1.x. It is limited to apps running on Server 2016 & Windows 10, because that's when the API changed. I'll update the issue to make that clear, thanks. |
|
This CVE was published on July 11 and patched versions of .NET framework 4.6 and 4.7 were released at that time. Why are the .NET Core fixes only being announced now? Additionally, the fixed versions (1.0.7 and 1.1.4) were released nearly a month ago, but the release notes make no mention of these fixes. Can you please clarify the timeline of this CVE, and confirm that 1.0.7 and 1.1.4 are indeed the fixed versions? Thanks! |
|
The CVE was published when the framework patch was released. Core lagged behind for various technical and other reasons. As I don't write the release notes I can't comment on why, but generally we like to give it a few weeks for something that's not under active exploit to at least get some adoption of the new runtime. Yes, 1.0.7 and 1.1.4 are the fixed versions. |
|
Does this affect Azure Web Apps or Cloud Services running in Azure? |
|
@blowdart this is marked release 2.1. Do we want to keep it open indefinitly? |
|
I didn't add the milestone. I think it's up to @richlander - the announcements one stay open forever. |
ghost
locked as resolved and limited conversation to collaborators
Microsoft Security Advisory CVE-2017-8585
Malformed Culture can cause application to crash
Executive Summary
Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of .NET Core 1.0 and 1.1. This advisory also provides guidance on what developers can do to update their applications correctly.
Microsoft is aware of a security vulnerability in the public version of .NET Core where a malformed string request could cause an application to crash and lead to a denial of service.
System administrators are advised to update their .NET Core runtimes to versions 1.0.7 and 1.1.4. Developers are advised to update their .NET Core SDK to version 1.1.4.
Mitigation Factors
.NET Core 2.0 is not affected by this issue.
,NET Core 1.x applications are only affected if running on Windows 10 or Windows 2016.
Advisory FAQ
How do I know if I am affected?
Any application running against .NET Core 1.0.6 or lower versions, or 1.1.2 or lower versions is affected. The latest version of the .NET core runtime you have installed in your computer can be listed by running
dotnet --info. Running that command produces an output similar to the following:As this command only displays the latest version of the runtime installed (or the version set in the global.json file), it may hide the fact that you have a vulnerable runtime. A complete list of runtimes can be discovered by performing a directory listing in the install root directories. The default root directories are listed in the following table:
Each runtime version is installed in its own directory, where the directory name is the version number. If you don't have a directory for 1.0.7 and 1.1.4, then any applications targeting 1.0 or 1.1 of .NET Core are vulnerable.
Also, even if you have a directory for 1.0.7 and 1.1.4 present in your system, if you've deployed self-contained applications targeting the impacted versions, these applications are also vulnerable.
How do I fix my affected application?
Applications can be fixed by installing the latest .NET Core runtimes or SDKs. Typically, application servers only have runtime packages installed and developer machines have the SDKs installed. Installers for the runtimes can be downloaded from the Runtime and SDK download archive. .NET Core 1.1.4 SDK installs both versions 1.0.7 and 1.1.4 of the .NET Core runtime.
If you've built a self-contained application, you must install the new runtime and SDK, recompile your application and redeploy.
What if the update breaks my application?
An application can be pinned to a previous version of the runtime by editing the application.runtime.config file for that application. Set the framework version to the desired version and the
rollForwardproperty tofalse. These settings should be treated as a temporary measure and the application updated to work with the patched versions of the framework.Since the application.runtime.config file is an optional file, you may need to create one for each application and add it alongside the executable.
Acknowledgments
David Fernandez of Sidertia Solutions
External Links
CVE-2017-8585
Sidertia blog on their discovery
Version 1.1
Last Updated 2017-18-10
The text was updated successfully, but these errors were encountered: