Microsoft have released a security advisory warning that there is a vulnerability in ASP.net core 1.1 MVC Core package that could allow a Denial Of Service attack. Exactly how to use the vulnerability is not being disclosed by Microsoft at this stage. Understandably so as it seems any .net core app that is on 1.1 will be affected. Note that any ASP.net core version below 1.1 is not affected.
Further info/discussion :
Github Announcement
Redhat Announcement
Reddit Discussion
HN Discussion
The issue is in a package named “Microsoft.AspNetCore.Mvc.Core”, but most people will find that they have a direct reference to the “parent” package named “Microsoft.AspNetCore.Mvc”. Either way, you need to do the below and patch.
How To Patch (project.json)
This is how to fix the vulnerability if you are using project.json (e.g. ASP.net Core 1.1 Preview 2). If you are using csproj (Preview 4), then check the section below.
First open up your project.json file and do a search for “Microsoft.AspNetCore.Mvc*”. So that includes any reference to sub packages such as “Microsoft.AspNetCore.Mvc.Core”. Let’s say you have a project.json similar to the below.
{ "dependencies": { "Microsoft.NETCore.App": { "version": "1.1.0", "type": "platform" }, "Microsoft.AspNetCore.Diagnostics": "1.1.0", "Microsoft.AspNetCore.Mvc": "1.1.0" ...... }
You need to bump the version of the MVC dependency. So change it to 1.1.1 like so :
{ "dependencies": { "Microsoft.NETCore.App": { "version": "1.1.0", "type": "platform" }, "Microsoft.AspNetCore.Diagnostics": "1.1.0", "Microsoft.AspNetCore.Mvc": "1.1.1" ...... }
Open a console inside your project folder and run “dotnet restore” and you should be now on the patched version of the library. Deploy your updated application as soon as possible.
If you cannot find a reference to “Microsoft.AspNetCore.Mvc*” in your project.json it does not mean you are immune.
Open your project.lock.json file, and search for “Microsoft.AspNetCore.Mvc.Core”. If you find it inside this file, it means that a package you are using has a dependency on the package. In this case, you need to manually add the full line to your project.json dependencies.
"Microsoft.AspNetCore.Mvc.Core": "1.1.1"
How To Patch (.csproj)
Patching your csproj file is almost identical, but in lovely XML form.
Search for a reference to “Microsoft.AspNetCore.Mvc*”. It will look something like below :
<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.0" />
Bump the version number by 1 :
<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.1" />
Open a command prompt in your project folder and run “dotnet restore”. Deploy your updated application as soon as possible.
If you cannot find a reference to “Microsoft.AspNetCore.Mvc*” in your project.json it does not mean you are immune.
You should find a file named project.assets.json in your project folder. Open this and search for “Microsoft.AspNetCore.Mvc.Core”. If you find it, it means that a package you are directly using has a reference itself to the MVC Core package. You need to open up your .csproj, and add in the following line :
<PackageReference Include="Microsoft.AspNetCore.Mvc.Core" Version="1.1.1" />
Open up a command prompt in your project folder and run “dotnet restore” and you are done. Deploy your updated application as soon as possible.