ASP.NET Core MVC 1.1.0 Vulnerability Guidance -- Visual Studio Magazine

ASP.NET Core MVC 1.1.0 Vulnerability Guidance

Microsoft's security bulletin describes a security vulnerability that exposes apps targeting ASP.NET Core MVC 1.1.0 to possible denial of service attacks, and issues mitigation guidance.

By Michael Domingo
01/31/2017

Microsoft this week issued a security bulletin for a vulnerability that exposes apps targeting ASP.NET Core MVC 1.1.0 to potential denial of service attacks. Microsoft Security Advisor 4010983 specifically notes that it's a publicly known flaw that can affect any project with a "direct or transitive dependency on Microsoft.AspNetCore.Mvc.Core version 1.1.0."

According to the bulletin, only projects that target version 1.1.0 are affected, while those targeting "ASP.NET Core 1.0.0, 1.0.1 or 1.02 are not." As is common with these types of flaws, the vulnerability is enabled when using a malformed HTTP request.

MSA 4010983 notes that updating apps to target a more recent 1.1.1 package or any version newer than that will mitigate the DoS issue. It's worth noting that the bulletin defines corrective measures based on whether your app uses direct or transitive dependencies -- based on how apps target ASP.NET Core MVC, developers need to make sure to review their project's dependency type and take steps to update based on that dependency type. Once an app is updated to use the right package, apps should then be republished.

Microsoft's Rich Lander blogs about the update on the .NET blog on MSDN; in it he links to a Red Hat advisory that contains guidance for Red Hat users (but a subscription is required to read it).

About the Author

Michael Domingo is a long-time software publishing veteran, having started up and managed several developer publications for the Clipper compiler, Microsoft Access, and Visual Basic. He's also managed IT pubs for 1105 Media, including Microsoft Certified Professional Magazine and Virtualization Review before landing his current gig as Visual Studio Magazine Editor in Chief. Besides his publishing life, he's a professional photographer, whose work can be found by Googling domingophoto.

Printable Format

comments powered by Disqus

Featured

Oh Data! Microsoft Ships First Major OData Update in Nearly 8 Years

Microsoft today shipped a preview of OData .NET 8. OData v7.0 was released in August of 2016.
Full Stack Hands-On Development with .NET

In the fast-paced realm of modern software development, proficiency across a full stack of technologies is not just beneficial, it's essential. Microsoft has an entire stack of open source development components in its .NET platform (formerly known as .NET Core) that can be used to build an end-to-end set of applications.
.NET-Centric Uno Platform Debuts 'Single Project' for 9 Targets

"We've reduced the complexity of project files and eliminated the need for explicit NuGet package references, separate project libraries, or 'shared' projects."
Creating Reactive Applications in .NET

In modern applications, data is being retrieved in asynchronous, real-time streams, as traditional pull requests where the clients asks for data from the server are becoming a thing of the past.
AI for GitHub Collaboration? Maybe Not So Much

No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.