News

.NET Core Update Fixes Denial-of-Service Vulnerability

Microsoft cranked out June 2020 updates to .NET Core 3.1 (and 2.1) to address a denial-of-service (DoS) vulnerability.

Officially, the flaw is called CVE-2020-1108 as listed in the Common Vulnerabilities and Exposures (CVE) system. The updates were announced in a June 9 blog post.

It says:

A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core or .NET Framework web application. The vulnerability can be exploited remotely, without authentication.

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core or .NET Framework application.

The update addresses the vulnerability by correcting how the .NET Core or .NET Framework web application handles web requests.

"To comprehensively address CVE-2020-1108, Microsoft has released updates for .NET Core 2.1 and .NET Core 3.1. Customers who use any of these versions of .NET Core should install the latest version of .NET Core. See the Release Notes for the latest version numbers and instructions for updating .NET Core," Microsoft said.

More information and guidance on dealing with the issue can be found in a Microsoft Security Advisory.

It says affected software includes:

  • Any .NET Core 2.1 application running on .NET Core 2.1.18 or lower
  • Any .NET Core 3.1 application running on .NET Core 3.1.4 or lower
  • Any .NET 5 application running on .NET 5 Preview 3 or lower

Yet another related advisory issue was published on May 12.

There was no information about whether the vulnerability was actually exploited.

About the Author

David Ramel is an editor and writer for Converge360.

comments powered by Disqus

Featured

  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

  • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

    Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

  • Data Anomaly Detection Using a Neural Autoencoder with C#

    Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

  • What's New for Python, Java in Visual Studio Code

    Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.

Subscribe on YouTube