Replies: 1 comment
-
Since this is in the build tools, and the vuln has something to do with Quic and opensshl, neither of which are used by the build tools.... and it's a DoS attack.... this is pretty minimal. But otherwise, what's happening is the build tools have an embedded copy of .NET in them, since they're published self contained. So, presumably, next release the bug will go away, as it's likely to just be built with the latest version of .NET. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
When I reference IKVM package, SONATYPE caught couple vulnerability. The only recommendation is using the latest version which I am (8.7.5 & 8.7.6). Any plan IKVM will fix those? Thanks.
Vulnerable OSS
IKVM.MSBuild.Tools.runtime.linux-arm@8.7.5
IKVM.MSBuild.Tools.runtime.linux-arm64@8.7.5
IKVM.MSBuild.Tools.runtime.win-arm64@8.7.5
IKVM.MSBuild.Tools.runtime.win-x64@8.7.5
IKVM.MSBuild.Tools.runtime.osx-x64@8.7.5
IKVM.MSBuild.Tools.runtime.linux-x64@8.7.5
IKVM.MSBuild.Tools.runtime.osx-arm64@8.7.5
Recommended Version(s): No recommended versions are available for the current component.
.NET Denial of Service Vulnerability
Explanation: The
Microsoft.NETCore.App.Runtime
packages for macOS and Linux are vulnerable to a Denial of Service (DoS) attack. TheCryptoNative_GetX509NameInfo()
function inopenssl.c
fails to account for X509 certificates containing alternate names that resolve toNULL
values. A remote attacker can exploit this vulnerability with crafted certificates that, when consumed, may crash affected applications due to uncaught exceptions.Detection: The application is vulnerable by using this component.
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerable OSS
System.Net.Quic.dll@6.0.2623.60508?nexusnamespace=Microsoft%20Corporation%2FMicrosoft%C2%AE%20.NET&nexustype=pecoff
System.Net.Quic.dll@6.0.2623.60508?nexusnamespace=Microsoft%20Corporation%2FMicrosoft%C2%AE%20.NET&nexustype=pecoff
Recommended Version(s): No recommended versions are available for the current component.
.NET Core and Visual Studio Denial of Service Vulnerability
Explanation: The
Microsoft.NETCore.App.Runtime
packages for Windows are vulnerable to a Denial of Service (DoS) attack. TheHandleEventPeerStreamStarted()
method of theQuicConnection
class releases the peer-provided stream capacity from memory before releasing client streams. A remote attacker can exploit this vulnerability by submitting a large number of closed streams in order to surpass configured stream limits. This may cause affected applications to consume all of their available resources, resulting in a DoS condition.Detection: The application is vulnerable by using this component. Applications running .NET 6 are only vulnerable if they enable the HTTP/3 preview feature.
Reference:
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Beta Was this translation helpful? Give feedback.
All reactions