Subscribe to this repo to be notified of Announcements and changes in .NET Core.
Creative Commons Attribution 4.0 International
1.27k
stars
44
forks
source link
Microsoft Security Advisory CVE-2024-0056: Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability #292
Microsoft Security Advisory CVE-2024-0056: Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET's System.Data.SqlClient and Microsoft.Data.SqlClient NuGet Packages. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in the Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider where an attackercan perform an AiTM (adversary-in-the-middle) attack between the SQL client and the SQL server. This may allow the attacker to steal authentication credentials intended for the database server, even if the connection is established over an encrypted channel like TLS.
Mitigation factors
If you are not using the System.Data.SqlClient or Microsoft.Data.SqlClient package libraries within your application, you are not affected by this vulnerability.
Any application that has a direct or transitive dependency on the affected packages listed above are vulnerable.
How do I fix the issue?
If you are using System.Data.SqlClient on .NET 6.0, .NET 7.0 or, .NET 8.0 you must update the nuget package to an updated version as listed in the affected packages.
If you are using Microsoft.Data.SqlClient, anywhere (any version of .NET Framework or .NET) and you are using a version that is vulnerable you must update as listed in the affected packages.
If you are using the System.Data.SqlClient package from a .NET Framework (any version) application, you must install the January 2024 .NET Framework updates made available via Windows Update or Microsoft Update. You should also consider updating the System.Data.SqlClient package as keeping dependencies up to date is good general hygiene, but updating this package is neither necessary nor sufficient to fix the issue in a .NET Framework-based application.
If you have found a potential security issue in .NET 6.0 or .NET 7.0 or .NET 8.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Microsoft Security Advisory CVE-2024-0056: Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET's System.Data.SqlClient and Microsoft.Data.SqlClient NuGet Packages. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in the Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider where an attackercan perform an AiTM (adversary-in-the-middle) attack between the SQL client and the SQL server. This may allow the attacker to steal authentication credentials intended for the database server, even if the connection is established over an encrypted channel like TLS.
Mitigation factors
If you are not using the System.Data.SqlClient or Microsoft.Data.SqlClient package libraries within your application, you are not affected by this vulnerability.
Affected packages
Advisory FAQ
How do I know if I am affected?
Any application that has a direct or transitive dependency on the affected packages listed above are vulnerable.
How do I fix the issue?
If you don't know the difference between Microsoft.Data.SqlClient and System.Data.SqlClient please read the Microsoft.Data.SqlClient initial announcement for an explanation,
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 6.0 or .NET 7.0 or .NET 8.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
CVE-2024-0056
Revisions
V1.0 (January 09, 2024): Advisory published.
Version 1.0
Last Updated 2024-01-09