Closed rbhanda closed 1 year ago
omajid
commented
3 years ago https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701#securityUpdates seems a little strange...
kevbry
commented
3 years ago Assuming this affects anyone running asp.net core 2.1 apps on full framework? Will updated dependent packages be released referencing the fixed version?
johnkors
commented
3 years ago $ dotnet --list-runtimes
Microsoft.AspNetCore.App 3.1.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp3.1</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="System.Text.Encodings.Web" Version="4.6.0" />
</ItemGroup>
</Project>$ dotnet list package --vulnerable
The following sources were used:
https://api.nuget.org/v3/index.json
The given project `VulnerableApp` has no vulnerable packages given the current sources
Shouldn't the new .NET 5 SDK feature dotnet list package --vulnerable report these..? Delay?
Or is this the scenario where the runtime hijacks and uses a runtime version of said package instead of what is defined in csproj, and hence not reporting it?
cc @JonDouglas @drewgillies
drewgillies
commented
3 years ago Hi @johnkors --the issue here is that there are no package vulnerabilities registered on GitHub for this CVE: https://github.com/advisories?query=CVE-2021-26701 Until a GitHub vulnerability advisory exists, the NuGet tools (including those included in the dotnet CLI) will have no information to present. But when we have an advisory in place it will surface in the tools.
[I've edited this comment down to something simpler because some of the finer points are still under discussion, but essentially this is why you don't see the advisory in the CLI--because it's not presented in GitHub]
johnkors
commented
3 years ago So basically there is a delay going between these stages:
Thanks, @drewgillies !
drewgillies
commented
3 years ago You're welcome! Hopefully we'll have something in place soon.
miguelcrpinto
commented
3 years ago This announcement is a bit confusing... In the executive summary it mentions only ".NET 5.0, .NET Core 3.1, and .NET Core 2.1", then in the "Affected software" you mention "Any .NET 5, .NET Core, or .NET Framework based application".
Why was ".NET Framework" added in the "Affected software" section? Does this mean that .NET Framework applications are also vulnerable or only .Net Core Applications that target the .NET Framework?
benbhall
commented
3 years ago A couple of things might need some clarifying.
Affected software: System.Text.Encodings.Web is tied to .NET Core, included out of the box in the runtime with Microsoft.NETCore.App so, the advisory is justified in being released under the headline of for .NET 5 and Core banner. However, it is also being used in .NET Framework applications via the NuGet package. Framework is mentioned once under Affected software but is there a risk of it being missed by not appearing in the headline?
Removing vulnerability from applications:
Upgrading your package and redeploying your app should be sufficient to address this vulnerability.
and later on:
To fix the issue, please install the latest version of .NET 5.0, .NET Core 3.1 or .NET Core 2.1. ... Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
We could clarify that Framework is fixed via NuGet package update and deploy.
Then Core is just the runtime update and restart? I'm sure there are probably scenarios where Core applications are pulling the NuGet in directly too.
EDIT Apologies for some repetition. Wrote this then went into a meeting without adding comment and missed @miguelcrpinto comment.
snickler
commented
3 years ago A couple of things might need some clarifying.
- Affected software: System.Text.Encodings.Web is tied to .NET Core, included out of the box in the runtime with
Microsoft.NETCore.Appso, the advisory is justified in being released under the headline of for .NET 5 and Core banner. However, it is also being used in .NET Framework applications via the NuGet package. Framework is mentioned once under Affected software but is there a risk of it being missed by not appearing in the headline?- Removing vulnerability from applications:
Upgrading your package and redeploying your app should be sufficient to address this vulnerability.
and later on:
To fix the issue, please install the latest version of .NET 5.0, .NET Core 3.1 or .NET Core 2.1. ... Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
We could clarify that Framework is fixed via NuGet package update and deploy.
Then Core is just the runtime update and restart? I'm sure there are probably scenarios where Core applications are pulling the NuGet in directly too.
EDIT Apologies for some repetition. Wrote this then went into a meeting without adding comment and missed @miguelcrpinto comment.
Yes, this is the understanding that @blowdart and @GrabYourPitchforks have provided on Twitter.
.NET Fx = upgrade NuGet Package .NET Core/5+ = upgrade runtime.
https://twitter.com/LeviBroderick/status/1369478430002081793
benbhall
commented
3 years ago Ahh good, now the understanding is here too. Just need the advisory itself updated :)
kevbry
commented
3 years ago We could clarify that Framework is fixed via NuGet package update and deploy.
Doesn't that only work if you already had a direct reference to this specific package, not if it was brought in as a transitive dependency of something like microsoft.aspnetcore?
Edit: it does. Would be extremely helpful if this and future CVE could include the same sort of remediation steps that https://github.com/dotnet/aspnetcore/issues/18336 does for those exposed to this because of a transitive dependency.
This seems to be exactly the situation https://github.com/NuGet/Home/issues/5887 was talking about
GrabYourPitchforks
commented
3 years ago Hi all - thanks for the feedback. This has jumpstarted some discussions internally between the .NET security team, the release management team, and representatives from NuGet. In particular, we're discussing: (a) if we should wordsmith the advisory text to clarify the distinction between applications targeting .NET Core and non-Core applications which have manually pulled in this package; and (b) if we can get plugged in to the GitHub and NuGet scans for vulnerable package versions.
There's nothing to announce right now because these are early conversations, and I don't want to make any promises. But if something does come from these discussions, it'll be a direct result of the feedback you all have provided.
Plasma
commented
3 years ago @GrabYourPitchforks thank you, could I also suggest a CLI update that (like npm audit) checks if you are still vulnerable; as while the advice is to update the runtime, I’m unclear if packages that I may have which have a dependency also need to be updated (which may not be possible if they have no updates yet).
A CLI check to say “everything is good” would be great.
JonDouglas
commented
3 years ago @Plasma We're(NuGet) working on it and will have more to share soon. Thanks for your patience.
deanward81
commented
3 years ago It looks like the issue is fixed in SDK 3.1.407 but the release notes on the announcements repo reference SDK 3.1.406. We just installed the wrong SDK until we realised - can we get this fixed up?
rbhanda
commented
3 years ago Hello @deanward81 I have fixed the issue now.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.13 or SDK 3.1.113 (for Visual Studio 2019 v16.4) or 3.1.407 (for Visual Studio 2019 v16.5 or later) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
dnbr2002
commented
3 years ago This security violation for System.Text.Encodings.Web affects package Microsoft.AspNetCore.Diagnostics with not remediation options at this time that I'm aware of. Users leveraging your Health Checks have no options for their applications at this time it seems. System.Text.Encoding.Web 4.5.0 is a transitive depends for Microsoft.AspNetCore.Diagnostics 2.2.0 (the latest version). Is there any way around this CVE at this time or is there a fix coming? Please advise. Thank you.
GrabYourPitchforks
commented
3 years ago @dnbr2002 It should be possible to update the System.Text.Encodings.Web package manually within your application. Or, if your application is running on ASP.NET Core 2.1, download the updated SDK https://dotnet.microsoft.com/download/dotnet/2.1 and you should receive the fix automatically without needing to change your package references.
Please note: The 2.2.x runtime and 2.2.x wave of packages are out of support and are not receiving updates. The current supported runtime versions and package waves are 2.1.x, 3.1.x, and 5.0.x. See the red header at the top of https://dotnet.microsoft.com/download/dotnet/2.2 for more information on 2.2's end-of-life.
dnbr2002
commented
3 years ago @GrabYourPitchforks we have downloaded the latest sdk for 3.1.407 and run builds in our pipeline with it but it does not update the reference I have for Microsoft.AspNetCore.Diagnostics explicitly in my csproj. That one remains with the transitive depends of System.Text.Encodings.Web at 4.5.0 even with the 3.1.407 sdk.
johnkors
commented
3 years ago @dnbr2002 Did you try adding an explicit reference to System.Text.Encodings.Web/5.0.1?
<PackageReference Include="Microsoft.AspNetCore.Diagnostics" Version="2.2.0" />
+ <PackageReference Include="System.Text.Encodings.Web" Version="5.0.1" />@johnkors I did based on the recommends in this thread but it doesn't update the transitive depends in Microsoft.AspNetCore.Diagnostics which didn't surprise me . I'm not sure why my explicit reference to System.Text.Encodings.Web would update a transitive depends in another package but maybe i don't understand how transitives work in .NET?
johnkors
commented
3 years ago It does not update Microsoft.AspNetCore.Diagnostics, no. Adding an explicit ref is you tell the tooling "I explicitly want this version" instead of any "transient" (if transient dep exists). Like an override, if that makes sense.
If you run dotnet list package --include-transitive in the terminal (workdir: project), it will provide you some details what version is used.
dnbr2002
commented
3 years ago @johnkors thanks for the clarification. Also I may not have run a clean between my builds last time. which may have been why I didn't see System.Text.Encodings.Web transitive getting updated in Microsoft.AspNetCore.Diagnostics.
watfordgnf
commented
3 years ago @JonDouglas NuGet still doesn't list this as a vulnerable package. I only just now caught this (by chance).
@rbhanda None of our tooling noticed this either. We're almost a month out without a means to detect this beyond a (tedious) review of transitive dependencies.
JonDouglas
commented
3 years ago @watfordgnf Unfortunately for NuGet to show this as a vulnerability, it needs to be logged officially in the GitHub Advisory Database. To my knowledge, no such advisory has been created yet.
https://github.com/dotnet/runtime/security/advisories
https://github.com/advisories?query=ecosystem%3Anuget
Given that a NuGet package is affected by this, it should be logged in the repository that owns the code or enough details regarding the affected package should be added in the CVE for the GitHub Advisory team to create one on the behalf.
https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories
watfordgnf
commented
3 years ago @JonDouglas what details are missing from this issue on the CVE that couldn't be added to NuGet or to the GitHub Advisories? Why wasn't the GitHub advisory issued concurrently with the CVE placed on this issue?
These are three Microsoft products (the NuGet package itself, NuGet, and GitHub).
Who owns this process?
JonDouglas
commented
3 years ago @watfordgnf To ensure that the GitHub Advisory team can manually enter in a package advisory, they need sufficient details on the CVE such as what is listed in this issue with the package name, versions affected, and fix available/secured versions. It could be the case that those details now exist and the GitHub Advisory team has not got to it yet. See https://github.com/dotnet/runtime/issues/49377#issuecomment-796044496
In those cases, the project maintainers can also disclose the package vulnerability via the security repository tab.
To clarify as to who owns the process. It is up to the project maintainers & security researchers to disclose the vulnerability. NuGet and GitHub simply ingest the information disclosed.
watfordgnf
commented
3 years ago Even if a GitHub Advisory is in place, this does not seem to work. I've filed an issue for that.
My point stands: these are Microsoft products. Someone should own the process to get these vulnerabilities placed into the requisite Microsoft owned database such that the tooling reflects reality. Passing the buck between projects isn't useful to the end users trying to validate that their systems do not have vulnerable dependencies.
GrabYourPitchforks
commented
3 years ago We (the .NET team) own this process and are actively working on it. There's quite a bit going on behind the scenes to come up with a solution to improve this going forward.
nedavismsft
commented
3 years ago Hi all. I was able to upgrade the Nuget package and get a Fixed state on the Compliance Dashboard. However, I still see the tickets open on Azure Dev Ops. Any thoughts on how to close these tickets?
NickEricson
commented
3 years ago We compile netstandard2.0 (not .net core or .netfx) and include < PackageReference Include="Microsoft.AspNetCore.Mvc.Core" Version="2.2.2" /> What do you recommend we do?
GrabYourPitchforks
commented
3 years ago @NickEricson You are on an unsupported version of the Microsoft.AspNetCore.Mvc.Core package. Your consumers will not receive security updates. Recommend downgrading to the latest 2.1.x release, which is still supported.
Your consumer (not you, since you are not an application and do not target a specific runtime) is responsible for checking the table above and taking appropriate action based on what runtime they target.
NickEricson
commented
3 years ago Ok, just to confirm. Move from 2.2.2 to 2.1.16 (for example). We also use Microsoft.AspNetCore.Mvc.WebApiCompatShim (2.2.0 now) - do we need to move that back to 2.1.3?
We do have some aspnetcore 3.1 apps as well - I'll move them to 3.1.408
Will there be a 2.2.x version of these packages that has the fix?
Packages: https://www.nuget.org/packages/Microsoft.AspNetCore.Mvc.Core/ https://www.nuget.org/packages/Microsoft.AspNetCore.Mvc.WebApiCompatShim/
rbhanda
commented
3 years ago Hello @NickEricson .NET Core 2.2 is out of support. There will not be a new version of 2.2. We recommend you upgrade your applications from 2.2 to latest 3.1 and that should resolve this issue
NickEricson
commented
3 years ago @rbhanda and @GrabYourPitchforks - We are not targetting netcoreapp2.2. We have two projects - one targets .netstandard2.0 and one targets netcoreapp3.1. The 3.1 one uses version 3.1.408 which we specify in an ADO task (DotNetCoreInstaller@0).
The .netstandard2.0 project has a nuget package reference to Microsoft.AspNetCore.Mvc.Core Version="2.2.5" the netcoreapp3.1 has a nuget package reference to Microsoft.AspNetCore.Mvc.WebApiCompatShim Version="2.2.0"
Both of those nuget packages are the latest versions. Without the nuget packages the projects do not compile.
@GrabYourPitchforks I moved Microsoft.AspNetCore.Mvc.WebApiCompatShim to 2.1.3 (latest 2.1 version prior to 2.2) but that also depends on System.Text.Encodings.Web 4.5.0
I have the following dotnet --info dotnet --info .NET SDK (reflecting any global.json): Version: 5.0.202 Commit: db7cc87d51
Runtime Environment: OS Name: Windows OS Version: 10.0.19042 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\5.0.202\
Host (useful for support): Version: 5.0.5 Commit: 2f740adc14
.NET SDKs installed: 2.2.207 [C:\Program Files\dotnet\sdk] 3.1.114 [C:\Program Files\dotnet\sdk] 3.1.408 [C:\Program Files\dotnet\sdk] 5.0.104 [C:\Program Files\dotnet\sdk] 5.0.202 [C:\Program Files\dotnet\sdk]
.NET runtimes installed: Microsoft.AspNetCore.All 2.1.27 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.App 2.1.27 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 2.1.27 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.WindowsDesktop.App 3.1.14 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
priyank-b
commented
3 years ago We're using .Net Core SDK version 3.1.408 for our projects targeting netcoreapp3.1. And we've dependency on following packages which are flagged for System.Text.Encoding.Web vulnerability: Microsoft.AspNetCore.Mvc.Abstractions 2.2.0 Microsoft.AspNetCore.Http 2.2.2 Microsoft.AspNetCore.Mvc.Core 2.2.5 Microsoft.VisualStudio.Web.CodeGeneration.Design 3.1.5
These are latest version of compatible packages. I've added explicit dependency for System.Text.Encodings.Web 4.5.1 as well but this alert doesn't get fixed. Any suggestion on how to fix this ADO alert?
@GrabYourPitchforks @johnkors @rbhanda I tried explicitly specifying 5.0.1 as well as 4.5.1 versions for System.Text.Encoding.Web. But still ADO alert doesn't get mitigated. Any help here is appreciated. Thanks!
mcallaghan-geotab
commented
3 years ago Hi all, I have a question:
https://www.nuget.org/packages/Microsoft.AspNetCore.WebUtilities/
many of our .NET core packages depend on this, : https://www.nuget.org/packages/Microsoft.AspNetCore.WebUtilities/1.1.2
which has a dependency like: System.Text.Encodings.Web (>= 4.3.1)
, even the latest version of that: https://www.nuget.org/packages/Microsoft.AspNetCore.WebUtilities/2.2.0
has a dependency like: System.Text.Encodings.Web (>= 4.5.0)
Even if a project specifies
<PackageReference Include="System.Text.Encodings.Web" Version="4.5.1" />Due to NuGet's "minimum satisfied" version defaults, some CVE vulnerability scanners I think are incorrectly claiming the vulnerability still exists in the solution.
What is the typical path for other base/core packages to "pull in" such a security patch?
Should I submit an Issue/PR to AspNetCore.WebUtilities to require System.Text.Encodings.Web (>= 4.5.1) ?
GrabYourPitchforks
commented
3 years ago @mcallaghan-geotab No action is required on your part. We're aware of the significant incidence of false positive matches and are already in conversations with vulnerability scanning tool developers to address this.
mcallaghan-geotab
commented
3 years ago @GrabYourPitchforks -
@mcallaghan-geotab No action is required on your part. We're aware of the significant incidence of false positive matches and are already in conversations with vulnerability scanning tool developers to address this.
What about <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.2.0" />
https://www.nuget.org/packages/Microsoft.AspNetCore.Http.Abstractions/ ?
It has not been updated since 2018, and still only depends on an insecure version of System.Text.Encodings.Web
"Microsoft.AspNetCore.Http.Abstractions/2.2.0": {
"type": "package",
"dependencies": {
"Microsoft.AspNetCore.Http.Features": "2.2.0",
"System.Text.Encodings.Web": "4.5.0"
},Even after attempting to force our project configuration to use the latest version,
<ItemGroup>
<PackageReference Include="System.Text.Encodings.Web" Version="4.5.1" />
</ItemGroup>Again getting false positives. (example: https://ossindex.sonatype.org/integration/devaudit)
EDIT: Also I do not see any active issues in https://github.com/dotnet/aspnetcore/issues for this problem. (move query/issue to there?)
GrabYourPitchforks
commented
3 years ago @mcallaghan-geotab The 2.2.x packages are out of support and are not receiving security patches. Use the 2.1.x packages or upgrade to 3.1.x instead.
The support lifecycle for .NET is listed at https://dotnet.microsoft.com/platform/support/policy/dotnet-core.
vikram5095
commented
3 years ago We are using .NET Framework 4.5, 4.6 and 4.7 in our application with ASP .NET version 4.5 and 4.6 for IIS configuration. We understand that the Vulnerability is found in one of SDK and .NET core packages. Is our framework is using this package System.Text.Encodings.Web which is come under in vulnerable package or IIS ASP .NET is not using this package for functioning web application. This we need to confirm before going for security patch update.
on 2019 Windows OS
PSChildName Version Release
----------- ------- -------
Client 4.7.03190 461814
Full 4.7.03190 461814
Client 4.0.0.0on 2016 Window OS
PSChildName Version Release
v2.0.50727 2.0.50727.4927 v3.0 3.0.30729.4926 Windows Communication Foundation 3.0.4506.4926 Windows Presentation Foundation 3.0.6920.4902 v3.5 3.5.30729.4926 Client 4.6.01586 394802 Full 4.6.01586 394802 Client 4.0.0.0
on Window server 2012 OS
PSChildName Version Release
v2.0.50727 2.0.50727.4927 v3.0 3.0.30729.4926 Windows Communication Foundation 3.0.4506.4926 Windows Presentation Foundation 3.0.6920.4902 v3.5 3.5.30729.4926 Client 4.5.51650 379893 Full 4.5.51650 379893 Client 4.0.0.0
ghost
commented
2 years ago Hello! Any news on fixing this vuln? Still in newest runtime Docker Image we have old version with RCE.
danmoseley
commented
2 years ago Which docker image?
ghost
commented
2 years ago danmoseley
commented
2 years ago Which tag though? eg can you paste your docker command?
ghost
commented
2 years ago I run scan with Trivy, after building nuget packages via SDK. I use 6.0-focal tag.
danmoseley
commented
2 years ago @jeffhandley could someone on your team pull this image and see why a scanner is indicating it has a vulnerable System.Text.Encodings.Web?
iSeiryu
commented
1 year ago It's even an issue in .NET 7.
An older version of System.Text.Encodings.Web is used by https://www.nuget.org/packages/Microsoft.AspNetCore.Http.Abstractions/ which has not been updated since 2018 and still targets .NET Standard 2.0. It can be fixed by updating the transitive dependency.
snickler
commented
1 year ago It's even an issue in .NET 7. An older version of
System.Text.Encodings.Webis used by https://www.nuget.org/packages/Microsoft.AspNetCore.Http.Abstractions/ which has not been updated since 2018 and still targets .NET Standard 2.0. It can be fixed by updating the transitive dependency.
Hmm, you shouldn't need to reference the Microsoft.AspNetCore.Http.Abstractions NuGet package in .NET 7, unless the project that needs it is targeting netstandard2.x?. If you need that namespace in a project that isn't an ASPNET-based one, add a FrameworkReference to it.
iSeiryu
commented
1 year ago @snickler We have a fairly empty solution with a few projects. Each project targets net7.0. Snyk flags the repository with this vulnerability https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTENCODINGSWEB-1253267
Microsoft Security Advisory CVE-2021-26701 | .NET Core Remote Code Execution Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0, .NET Core 3.1, and .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A remote code execution vulnerability exists in .NET 5 and .NET Core due to how text encoding is performed.
Announcement
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/178
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
The vulnerable package is System.Text.Encodings.Web . Upgrading your package and redeploying your app should be sufficient to address this vulnerability.
Vulnerable package versions:
Any .NET 5, .NET Core, or .NET Framework based application that uses the System.Text.Encodings.Web package with a vulnerable version listed below.
4.6.0-4.7.1
5.0.0
4.7.2
5.0.1
Please validate that each of the .NET versions you are using is in support. Security updates are only provided for supported .NET versions.
How do I know if I am affected?
If you have a runtime or SDK with a version listed in affected software, you're exposed to the vulnerability.
How do I fix the issue?
To fix the issue, please install the latest version of .NET 5.0, .NET Core 3.1 or .NET Core 2.1. If you have installed one or more .NET Core SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET Core SDKs.
You can list the versions you have installed by running the
dotnet --infocommand. You should see an output like the following:If you're using .NET 5.0, you should download and install Runtime 5.0.4 or SDK 5.0.104 (for Visual Studio 2019 v16.8) from https://dotnet.microsoft.com/download/dotnet-core/5.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.13 or SDK 3.1.113 (for Visual Studio 2019 v16.4) or 3.1.407 (for Visual Studio 2019 v16.5 or later) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
If you're using .NET Core 2.1, you should download and install Runtime 2.1.26 or SDK 2.1.522 (for Visual Studio 2019 v15.9) or 2.1.814 from https://dotnet.microsoft.com/download/dotnet-core/2.1.
.NET 5.0, .NET Core 3.1 and .NET Core 2.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.
Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET Core or .NET 5, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
CVE-2021-26701
Revisions
V1.0 (March 09, 2021): Advisory published.
Version 1.0
Last Updated 2021-03-09