ASP.NET Core MVC 1.1.0 Vulnerability Guidance
Microsoft's security bulletin describes a security vulnerability that exposes apps targeting ASP.NET Core MVC 1.1.0 to possible denial of service attacks, and issues mitigation guidance.
- By Michael Domingo
Microsoft this week issued a security bulletin for a vulnerability that exposes apps targeting ASP.NET Core MVC 1.1.0 to potential denial of service attacks. Microsoft Security Advisor 4010983 specifically notes that it's a publicly known flaw that can affect any project with a "direct or transitive dependency on Microsoft.AspNetCore.Mvc.Core version 1.1.0."
According to the bulletin, only projects that target version 1.1.0 are affected, while those targeting "ASP.NET Core 1.0.0, 1.0.1 or 1.02 are not." As is common with these types of flaws, the vulnerability is enabled when using a malformed HTTP request.
MSA 4010983 notes that updating apps to target a more recent 1.1.1 package or any version newer than that will mitigate the DoS issue. It's worth noting that the bulletin defines corrective measures based on whether your app uses direct or transitive dependencies -- based on how apps target ASP.NET Core MVC, developers need to make sure to review their project's dependency type and take steps to update based on that dependency type. Once an app is updated to use the right package, apps should then be republished.
Microsoft's Rich Lander blogs about the update on the .NET blog on MSDN; in it he links to a Red Hat advisory that contains guidance for Red Hat users (but a subscription is required to read it).
Michael Domingo is a long-time software publishing veteran, having started up and managed several developer publications for the Clipper compiler, Microsoft Access, and Visual Basic. He's also managed IT pubs for 1105 Media, including Microsoft Certified Professional Magazine and Virtualization Review before landing his current gig as Visual Studio Magazine Editor in Chief. Besides his publishing life, he's a professional photographer, whose work can be found by Googling domingophoto.