.NET / ASP .NET CVEs package vulnerabilities backfill about advisory-database HOT 33 CLOSED

Answers to a few of the outstanding questions:

CVE-2020-0606 / dotnet/announcements#149 - Should reference https://www.nuget.org/packages/Microsoft.WindowsDesktop.App.Ref?

Yes. This is somewhat analogous to the NetCore.App vs affected underlying component discussion.

CVE-2020-1045 / dotnet/announcements#165 - which https://www.nuget.org/packages/microsoft.owin packages are impacted?

The affected owin package is Microsoft.AspNetCore.Owin rather than Microsoft.Owin. Fixed version 3.1.8.

from advisory-database.

thank you @skofman1 for sharing this with us! we've made an internal issue to track this and have added this to our backfill queue. this information is extremely helpful! I'll let you know if we have any additional questions once we've started going through it 😄

from advisory-database.

@shelbyc , CVE-2019-0546 was provided by mistake here. There are no impacted packages here. Feel free to remove.

from advisory-database.

The fix was not applied to 2.2 as that release went out of support in December 2019.

from advisory-database.

I'm now hitting this too - are we sure these versions are correct on Microsoft.Owin (NuGet link)? There isn't a package 3.1.8 I can find on any feed after checking everywhere I know of...so I'm questioning if maybe some versions got mixed up here in the CG system? They are exactly the same versions as the line above with Microsoft.AspNetCore.App so maybe a copy/paste thing? This is triggering build governance though so it's becoming a blocker issue for us - can we help resolve?

from advisory-database.

@NickCraver that's not going to be us (github database) then. I suspect that someone may have changed something on the CG side when this list got put together.

@skofman1 might be the best contact there.

from advisory-database.

@darakian , @leecow -
regarding CVE-2019-0545 - https://www.nuget.org/packages/System.Net.Http doesn't have versions 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 with 2.17 being the fix. Those versions are valid only for https://www.nuget.org/packages/Microsoft.NETCore.App. I imagine that the intent in the [.NET Announcement)(https://github.com/dotnet/announcements/issues/94) is that System.NET.Http has the underlining vulnerability that impacts Microsoft.NETCore.App, however, the version ranges are valid only for Microsoft.NETCore.App. @leecow , do we know which version ranges in System.NET.Http are impacted by this CVE? @darakian, I recommend updating the advisory CVE-2019-0545 for now to include only Microsoft.NETCore.App, until we get clarity on the correct version ranges for System.NET.Http.

Regarding CVE-2019-0546 - this is a data issue. Sorry about that.

Regarding CVE-2020-0606 / dotnet/announcements#149 - @leecow , perhaps you can clarify here. Was you intent this package: https://www.nuget.org/packages/Microsoft.WindowsDesktop.App.Ref ?

Regarding CVE-2020-1045 / dotnet/announcements#165 - @leecow , could you help clarify which https://www.nuget.org/packages/microsoft.owin packages are impacted?

@NickCraver - I imagine someone from CG used this data. Could you provide details on what CG solution your team uses? Is this Azure DevOps? If so, I can try to reach out to them internally.

from advisory-database.

@darakian , @leecow and I worked offline on CVE-2020-1045 and this is the full set of impacted packages (I updated the table above as well).

from advisory-database.

@darakian , that's right. Microsoft.AspNetCore.Owin doesn't have version 2.1.22. https://www.nuget.org/packages/Microsoft.AspNetCore.Owin

from advisory-database.

//cc @leecow

from advisory-database.

Hey @skofman1, sorry for the delay, but we're now live-ish 🎉

A few notes.
Your list has CVE-2019-0545 as affecting Microsoft.NETCore.App in >= 2.1.0, < 2.1.7 with 2.1.7 as the fix. I assume this is a typo as the reference has two ranges for System.Net.Http. I've followed dotnet/announcements#94 for our advisory.

Similarly CVE-2019-0546 lists Microsoft.NETCore.App and System.Net.Http for the affected packages while
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0546
Lists Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Should this one be for Microsoft.NETCore.App with the two ranges >= 2.1.0, < 2.1.7 & = 2.2.0?
Currently holding off on publishing this one.

CVE-2020-0606 / dotnet/announcements#149
The dotnet announcement mentions Any .NET Core application running on .NET Core 3.0.0, 3.0.1 or 3.1.0. for affected software and your notes list WindowsDesktop.App which does not seem to exist
https://www.nuget.org/packages/WindowsDesktop.App
Makes me think this is for the runtime and not a package, but let me know if I'm wrong there.

CVE-2020-1045 / dotnet/announcements#165
Similar affected software description and your note of Microsoft.Owin is missing both fix versions (2.1.22 and 3.1.8) that you suggest
https://www.nuget.org/packages/Microsoft.Owin
dotnet/aspnetcore#24264
lead me to Microsoft.AspNetCore.Http for this.
Can I get a double check on that one as well?

Thank you so much for the great list and sorry again for the delay in getting this done 🙇

CC @taladrane

from advisory-database.

@darakian - looking at the questions.

RE: CVE-2019-0545 / dotnet/announcements#94, the announcement provides the following.

This seems correct, though I may be missing something. Let me know. Ah, you're looking at the CVE. I could be misunderstanding the entry - it looks to define 2.1.0 through 2.1.6, inclusive and 2.2.0. Is that not correct?

from advisory-database.

Hey @leecow, the question I had about that one was with respect to @skofman1's list has Microsoft.NETCore.App rather than System.Net.Http. I assumed that meant https://www.nuget.org/packages/Microsoft.NETCore.App, but maybe that's incorrect.

@NickCraver which advisory is blocking you?

from advisory-database.

@darakian It's the last one for Microsoft.Owin: https://nvd.nist.gov/vuln/detail/CVE-2020-1045 / GHSA-hxrm-9w7p-39cc I can't find how any of these relate to Microsoft.Owin and the fix recommending versions that don't exist (and aren't slightly off - it's recommending 3.1.8 when only 3.1.0 exists) leads me to believe we have something off in the data here. Any help would be much appreciated!

from advisory-database.

Gotcha, yes, capturing the NetCore.app and 'included' package is confusing. Could the GitHub advisory follow a similar pattern to the .NET advisory? e.g. NetCore.App (System.Net.Http).

from advisory-database.

@NickCraver Ah gotcha. Our advisory isn't blocking you on that though is it? I couldn't find the Owin reference so, I left it off of that.

@leecow our namespace is defined as the names used on Nuget.org. System.Net.Http in this case.

from advisory-database.

@darakian I'm admittedly naive as to how these systems interact...it's triggering on internal builds in CG today as high severity and will break builds in under a month.

from advisory-database.

@NickCraver and CG is breaking the build because the it detects Microsoft.Owin in the offending range listed above?

from advisory-database.

@darakian yep exactly, it advises upgrading from 3.0.0 to 3.1.8 but that's not possible/doesn't exist :)

from advisory-database.

@skofman1 I have an internal thread going from discovery this AM but thought this may be way downstream of the source mismatch, will add you to this! I assumed this was downstream but honestly no clue.

from advisory-database.

@skofman1 Yep ADO here - and always feel free to ping on Teams too, I can link specific builds/incidents. This started happening last week for us (Thursday/Friday I think) so assuming the same as you here that same data source got pulled in. Thanks a ton for helping us get sorted!

from advisory-database.

the advisory CVE-2019-0545 for now to include only Microsoft.NETCore.App, until we get clarity on the correct version ranges for System.NET.Http.

Ok, just to double check you mean a change of the affected product from System.NET.Http to Microsoft.NETCore.App?

from advisory-database.

Ok, just to double check you mean a change of the affected product from System.NET.Http to Microsoft.NETCore.App?

Yes, exactly.

from advisory-database.

Yes, exactly.

Thank you much. We're updated 👍

from advisory-database.

@leecow many thanks 👍 Those two advisories are now updated on our end.

from advisory-database.

@skofman1 many thanks for the update. Am I right in reading that last line that Microsoft.AspNetCore.Owin does not have a fix version at 2.1.22?

from advisory-database.

Fantastic. Thank you much and I've updated our advisory to reflect 👍

from advisory-database.

@skofman1
Looks like some of the details for dotnet/announcements#73 were not properly added in the advisory.

On GHSA-p9wx-v264-q34p, for System.ServiceModel.Duplex and System.ServiceModel.Security, it includes affected versions >= 4.0.0, < 4.1.3 with patched version 4.1.3, but the table above and the announcement say vulnerable versions are 4.0.0, 4.0.1 and 4.0.2, with secure version 4.0.4.

This caused us to get alerts from a dependency on Microsoft.NETCore.UniversalWindowsPlatform which I believe were false positives. I have submitted a suggestion for improvements in #574

from advisory-database.

Thank for reporting @lechacon !

@darakian , could you take a look pls?

from advisory-database.

@lechacon & @skofman1 sorry about that and sorry for the late reply (I was out for a few days). A colleague of mine has gone ahead and put those updates through. Let me know if you see anything else.

from advisory-database.

Regarding CVE-2019-0546 - this is a data issue. Sorry about that.

@skofman1 We're seeking clarification before deciding whether to publish or close. Is CVE-2019-0546 a valid vulnerability? Does it affect Microsoft.NETCore.App and should we review this vulnerability/send out alerts? If CVE-2019-0546 only affects Microsoft Visual Studio, it doesn't affect a supported package and we can't review or alert on it.

from advisory-database.

Hello,

Can anyone verify that CVE-2020-1045 was permanently fixed for Mictosoft.AspNetCore.Http as of 2.1.22, and the higher versions, including versions 2.2.x no longer have this vulnerability? Sonatype is reporting this is still an active issue directly via support chat:

"""
For Microsoft.AspNetCore.Http:

So for the 2.1.x branch, we do have the vulnerable range closed off at 2.1.22 (not inclusive).

For the 2.2.x version, the advisory does not address this branch and we have found that it does have the vulnerable code in its versions. There are currently 5 2.2.x versions published to Nuget, the latest published on 2/12/2019, and all contain the vulnerable code. We are monitoring new releases of this component and will close off the vulnerable range for the 2.2.x branch should a fix ever be released for it.
"""

If you can verify, can you please provide documentation so I can try to get this updated? Thank you!

from advisory-database.

@leecow is that to say that all 2.2.x releases of Microsoft.AspNetCore.Http are vulnerable? If so I can go ahead and update our advisory to reflect marking >= 2.2.0, <= 2.2.2 as vulnerable.

from advisory-database.