Microsoft Security Advisory 4021279 – ASP.NET Core Could Allow Elevation of Privilege

Microsoft has released an urgent patch to various packages in .net core. If you are using any of the following packages directly, or any packages you use are also dependent on these packages you should update them immediately. You can read the full advisory on Github here.

PackageAffected VersionsFixed Versions
System.Text.Encodings.Web4.0.0
4.3.0
4.0.1
4.3.1
System.Net.Http4.1.1
4.3.1
4.1.2
4.3.2
System.Net.Http.WinHttpHandler4.0.1
4.3.0
4.0.2
4.3.1
System.Net.Security4.0.0
4.3.0
4.0.1
4.3.1
System.Net.WebSockets.Client4.0.0
4.3.0
4.0.1
4.3.1
Microsoft.AspNetCore.Mvc1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Core1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Abstractions1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.ApiExplorer1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Cors1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.DataAnnotations1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Formatters.Json1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Formatters.Xml1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Localization1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Razor.Host1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.Razor1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.TagHelpers1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.ViewFeatures1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3
Microsoft.AspNetCore.Mvc.WebApiCompatShim1.0.0, 1.0.1, 1.0.2, 1.0.3
1.1.0, 1.1.1, 1.1.2
1.0.4
1.1.3

Fixing Direct Dependencies

To fix direct dependencies, you should simply open your csproj file for your project and check package references for the ones above. If you find any, then you should update to the fixed package version and redeploy immediately if your project is in production.

For example if you had the following csproj file :

<Project Sdk="Microsoft.NET.Sdk.Web">
  <PropertyGroup>
    <TargetFramework>netcoreapp1.1</TargetFramework>
  </PropertyGroup>
  <PropertyGroup>
    <PackageTargetFallback>$(PackageTargetFallback);portable-net45+win8+wp8+wpa81;</PackageTargetFallback>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore" Version="1.0.3" />
  </ItemGroup>
  <ItemGroup>
    <DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="1.0.0 " />
  </ItemGroup>
</Project>

The package for Microsoft.AspNetCore version 1.0.3 is vulnerable. Update the version to 1.0.4.

Fixing Transitive Dependencies

Transitive dependencies are dependencies of libraries that you are directly using. These are harder to track down but still simple to fix.

Open your project.assets.json file for your project (Should be in your project folder). Search inside this file for any dependencies that match the vulnerable package list above. If you find a vulnerable package, you need to manually add a reference to the fixed package in your csproj. The csproj version will override any transitive dependencies from other libraries (think of it like version forwarding in web.configs).

Fixing Project.Json (Legacy .net Core Apps)

If you have a .net core web app that is still on project.json, the process is much the same. For more info read the full advisory on Github here.

Leave a Comment