Security vulnerabilities in serilog-sinks-mssql

[LeonFreriks-calvi]

Bug Report / Support Request Template

If you are opening a feature request, you can ignore this template. Bug reports and requests for assistance usually require the same basic information described below. This will help us more quickly reproduce and investigate the problem you're reporting. (If you are using Serilog.Sinks.MSSqlServerCore, that package is deprecated, please switch to Serilog.Sinks.MSSqlServer before reporting an issue.)

Please clearly describe what the SQL Sink is doing incorrectly:

When including SQL Sink in my project, my project has an added vulnerability When I remove the SQL Sink, my project is no longer vulnerable. Please note that 5.7.1 and 5.8 dev 20 produce the same results

Please clearly describe the expected behavior:

SQL Sink needs to be updated, in order to not use the vulnerable package(s)

The errors can be found using dotnet list package --vulnerable --include-transitive

Which exact package contains the vulnerability is trial and error unfortunately

From my own experience so far:

xunit 2.4.2 -> xunit 2.4.0 (https://devscope.io/code/xunit/xunit/issues/2568)

Microsoft.PowerShell.SDK Microsoft.VisualStudio.Web.CodeGeneration.Design Microsoft.AspNetCore.Authentication

AutoFixture AutoFixture.AutoMoq AutoFixture.Xunit2 https://github.com/AutoFixture/AutoFixture/issues/1356

PuppeteerSharp https://github.com/hardkoded/puppeteer-sharp/issues/2014

System.ServiceModel.Http System.ServiceModel.Security System.ServiceModel.Duplex System.ServiceModel.NetTcp

Microsoft.AspNetCore.WebUtilities

List the names and versions of all Serilog packages used in the project:

• Serilog: 6.0.1
• Serilog.Sinks.MSSqlServer: 5.7.1 (but also 5.8 dev20
• (configuration, etc.)

Target framework and operating system:

[x] .NET Core 6 [ ] .NET Core 3.1 [ ] .NET Framework 4.8 [ ] .NET Framework 4.7 [ ] .NET Framework 4.6.x

OS: windows

Thanks in advance!

[ckadluba]

Hi @LeonFreriks-calvi!

Thank you for reporting this. Unfortunately this error appears not as a dependabot alert nor during normal build using our GitHub actions.

But when I ran dotnet list package --vulnerable --include-transitive, I found even a more critical issue.

I found out that the high severity issue (https://github.com/advisories/GHSA-5crp-9r3c-p9vr) is related to the package Microsoft.Data.SqlClient 1.1.3. I will update this package to the newest version 5.0.0 so the issue will be gone.

The moderate issue (https://github.com/advisories/GHSA-cmhx-cq75-c4mj) you found is related to Microsoft.Azure.Services.AppAuthentication 1.4.0. The newest version of the package is 1.6.2 and it still has the issue. But since this package is deprecated already and we have an issue (#400) and a PR that aims to replace it with Azure.Identity, we have to wait until that is done.

[ckadluba]

I created the linked PR which fixes the critical issue in the MSSQL sink library. I just wait for a brief review from a co maintainer before we create a release.

As mentioned, this PR only fixes the critical issue https://github.com/advisories/GHSA-5crp-9r3c-p9vr. The moderate issue https://github.com/advisories/GHSA-cmhx-cq75-c4mj is in the dependency Microsoft.Azure.Services.AppAuthentication which is obsolete and has no newer version to fix this. Since we will have SqlClient 3.0.0 with the current PR, we can use it to do authentication for Azure SQL and therefore do not need the obsolete AppAuthentication library anymore. But unfortunately it is not a drop-in replacement and of our some code has to be changed to do all this. Therefore I will fix the moderate issue and remove AppAuthentication in another release soon.

[ckadluba]

Hi everyone!

I just created release 5.8.0 where the high severity issue https://github.com/advisories/GHSA-5crp-9r3c-p9vr is fixed. Please help us by testing it, if you can.

This report will remain open until we remove the initally reported moderate issue https://github.com/advisories/GHSA-cmhx-cq75-c4mj.

[LeonFreriks-calvi]

Awesome, thank you very much for your status update and reports. Really appreciate you and the team taking this serious and the speed in which it's getting resolved!