Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DMS-243] Database configuration changes #206

Merged
merged 3 commits into from
Jul 30, 2024
Merged

[DMS-243] Database configuration changes #206

merged 3 commits into from
Jul 30, 2024

Conversation

simpat-adam
Copy link
Contributor

No description provided.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 26, 2024
edited
Loading

🔍 Vulnerabilities of dms:latest

📦 Image Reference dms:latest
digestsha256:97e8a9ab1376fef4f45d3f777a13094d4906acee140eb98273bbed7573f24d49
vulnerabilitiescritical: 1 high: 2 medium: 12 low: 2 unspecified: 3
platformlinux/amd64
size84 MB
packages599
📦 Base Image mcr.microsoft.com/dotnet/runtime:8.0-alpine
digestsha256:895cf81760e6cc062b46066dac4b5aa3d9962a7926385ff8b4ba6fc6bdc16920
vulnerabilitiescritical: 1 high: 0 medium: 4 low: 0 unspecified: 3
critical: 1 high: 0 medium: 0 low: 0 unspecified: 3openssl 3.1.4-r5 (apk)

pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19

critical : CVE--2024--5535

Affected range<3.1.6-r0
Fixed version3.1.6-r0
Description

unspecified : CVE--2024--4741

Affected range<3.1.6-r0
Fixed version3.1.6-r0
Description

unspecified : CVE--2024--4603

Affected range<3.1.5-r0
Fixed version3.1.5-r0
Description

unspecified : CVE--2024--2511

Affected range<3.1.4-r6
Fixed version3.1.4-r6
Description
critical: 0 high: 1 medium: 0 low: 0 System.Formats.Asn1 5.0.0 (nuget)

pkg:nuget/[email protected]

high 7.5: CVE--2024--38095 Improper Input Validation

Affected range>=5.0.0-preview.7.20364.11
<6.0.1
Fixed version6.0.1
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A Vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates, a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service.

Announcement

Announcement for this issue can be found at dotnet/announcements#312

Mitigation factors

Microsoft has not identified any mitigating factors for this vulnerability.

Affected software

  • Any .NET 6.0 application running on .NET 6.0.31 or earlier.
  • Any .NET 8.0 application running on .NET 8.0.6 or earlier.

Affected Packages

The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below

.NET 6

Package name Affected version Patched version
Microsoft.NetCore.App.Runtime.linux-arm >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.linux-arm64 >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.linux-musl-arm >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.linux-musl-x64 >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.linux-x64 >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.osx-arm64 >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.osx-x64 >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.win-arm >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.win-arm64 >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.win-x64 >=6.0.0, <= 6.0.31 6.0.32
Microsoft.NetCore.App.Runtime.win-x86 >=6.0.0, <= 6.0.31 6.0.32
System.Formats.Asn1 >=5.0.0-preview.7.20364.11 6.0.1

.NET 8

Package name Affected version Patched version
Microsoft.NetCore.App.Runtime.linux-arm >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.linux-arm64 >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.linux-musl-arm >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.linux-musl-arm64 >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.linux-musl-x64 >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.linux-x64 >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.osx-arm64 >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.osx-x64 >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.win-arm >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.win-arm64 >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.win-x64 >=8.0.0, <= 8.0.6 8.0.7
Microsoft.NetCore.App.Runtime.win-x86 >=8.0.0, <= 8.0.6 8.0.7
System.Formats.Asn1 <=6.0.0, >=7.0.0-preview.1.22076.8 8.0.1

Advisory FAQ

How do I know if I am affected?

If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability.

How do I fix the issue?

  • To fix the issue please install the latest version of .NET 8.0 or .NET 7.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
  • If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
.NET Core SDK (reflecting any global.json):


 Version:   8.0.200
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.300\

Host (useful for support):

  Version: 8.0.3
  Commit:  8473146e7d

.NET Core SDKs installed:

  8.0.200 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App]
  Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]


To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

.NET 6.0 and .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

External Links

CVE-2024-38095

Revisions

V1.0 (July 09, 2024): Advisory published.

Version 1.0

Last Updated 2024-07-09

critical: 0 high: 1 medium: 0 low: 0 System.Text.Json 8.0.0 (nuget)

pkg:nuget/[email protected]

high 7.5: CVE--2024--30105 Uncontrolled Resource Consumption

Affected range>=7.0.0
<8.0.4
Fixed version8.0.4
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

Microsoft Security Advisory CVE-2024-30105 | .NET Denial of Service Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET when calling the JsonSerializer.DeserializeAsyncEnumerable method against an untrusted input using System.Text.Json may result in Denial of Service.

Discussion

Discussion for this issue can be found at dotnet/runtime#104619

Mitigation factors

Microsoft has not identified any mitigating factors for this vulnerability.

Affected software

  • Any .NET 8.0 application running on .NET 8.0.6 or earlier.

Affected Packages

The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below

.NET 8

Package name Affected version Patched version
System.Text.Json >= 7.0.0, < =8.0.3 8.0.4

Advisory FAQ

How do I know if I am affected?

If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability.

How do I fix the issue?

  • To fix the issue please install the latest version of .NET 8.0 . If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
  • If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
.NET Core SDK (reflecting any global.json):


 Version:   8.0.200
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.300\

Host (useful for support):

  Version: 8.0.3
  Commit:  8473146e7d

.NET Core SDKs installed:

  8.0.200 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App]
  Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]


To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

.NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If you have found a potential security issue in .NET 8.0 or .NET 7.0 or .NET 6.0, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

External Links

CVE-2024-30105

Revisions

V1.0 (July 09, 2024): Advisory published.

Version 1.0

Last Updated 2024-07-09

critical: 0 high: 0 medium: 4 low: 0 busybox 1.36.1-r15 (apk)

pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19

medium : CVE--2023--42366

Affected range<1.36.1-r16
Fixed version1.36.1-r16
Description

medium : CVE--2023--42365

Affected range<1.36.1-r19
Fixed version1.36.1-r19
Description

medium : CVE--2023--42364

Affected range<1.36.1-r19
Fixed version1.36.1-r19
Description

medium : CVE--2023--42363

Affected range<1.36.1-r17
Fixed version1.36.1-r17
Description
critical: 0 high: 0 medium: 2 low: 0 Azure.Identity 1.10.3 (nuget)

pkg:nuget/[email protected]

medium 5.5: CVE--2024--35255 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected range<1.11.4
Fixed version1.11.4
CVSS Score5.5
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

medium 5.5: CVE--2024--29992 Insufficiently Protected Credentials

Affected range<1.11.0
Fixed version1.11.0
CVSS Score5.5
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description

Azure Identity Library for .NET Information Disclosure Vulnerability

critical: 0 high: 0 medium: 1 low: 1 Microsoft.Identity.Client 4.56.0.0 (nuget)

pkg:nuget/[email protected]

medium 5.5: CVE--2024--35255 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected range>=4.49.1
<4.60.4
Fixed version4.61.3
CVSS Score5.5
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

low 3.9: CVE--2024--27086 Incorrect Authorization

Affected range>=4.48.0
<4.59.1
Fixed version4.59.1
CVSS Score3.9
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Description

[!IMPORTANT]
ONLY applications targeting Xamarin Android and .NET Android (MAUI) are impacted. All others can safely dismiss this CVE.

Impact

MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.3 (inclusive, except 4.59.1 and 4.60.3) are impacted by a low severity vulnerability.

A malicious application running on a customer Android device can (1) inject HTML/JavaScript in an embedded web view exported by affected applications, or (2) cause local denial of service against applications that were built using MSAL.NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration.

Patches

MSAL.NET version 4.60.3 includes the fix. We recommend all users of MSAL.NET that are building public client applications for Android update to the latest version.

Workarounds

We recommend developers update to the latest version of MSAL.NET. If that is not possible, a developer may explicitly mark the MSAL.NET activity non-exported:

<activity android:name="microsoft.identity.client.AuthenticationAgentActivity" android:configChanges="orientation|screenSize" android:exported="false">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="msalYOUR_CLIENT_ID" android:host="auth" />
</intent-filter>
</activity>

References

Refer to MSAL.NET documentation for latest guidance and best practices on configuring client applications using the library.

critical: 0 high: 0 medium: 1 low: 1 Microsoft.Identity.Client 4.56.0 (nuget)

pkg:nuget/[email protected]

medium 5.5: CVE--2024--35255 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected range>=4.49.1
<4.60.4
Fixed version4.61.3
CVSS Score5.5
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

low 3.9: CVE--2024--27086 Incorrect Authorization

Affected range>=4.48.0
<4.59.1
Fixed version4.59.1
CVSS Score3.9
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Description

[!IMPORTANT]
ONLY applications targeting Xamarin Android and .NET Android (MAUI) are impacted. All others can safely dismiss this CVE.

Impact

MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.3 (inclusive, except 4.59.1 and 4.60.3) are impacted by a low severity vulnerability.

A malicious application running on a customer Android device can (1) inject HTML/JavaScript in an embedded web view exported by affected applications, or (2) cause local denial of service against applications that were built using MSAL.NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration.

Patches

MSAL.NET version 4.60.3 includes the fix. We recommend all users of MSAL.NET that are building public client applications for Android update to the latest version.

Workarounds

We recommend developers update to the latest version of MSAL.NET. If that is not possible, a developer may explicitly mark the MSAL.NET activity non-exported:

<activity android:name="microsoft.identity.client.AuthenticationAgentActivity" android:configChanges="orientation|screenSize" android:exported="false">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="msalYOUR_CLIENT_ID" android:host="auth" />
</intent-filter>
</activity>

References

Refer to MSAL.NET documentation for latest guidance and best practices on configuring client applications using the library.

critical: 0 high: 0 medium: 1 low: 0 Microsoft.IdentityModel.JsonWebTokens 6.24.0.31013185938.779de3802c12c2b5331424e6079e76b06183757a (nuget)

pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@6.24.0.31013185938.779de3802c12c2b5331424e6079e76b06183757a

medium 6.8: CVE--2024--21319 Uncontrolled Resource Consumption

Affected range>=6.5.0
<6.34.0
Fixed version6.34.0
CVSS Score6.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Description

Microsoft Security Advisory CVE-2024-21319: .NET Denial of Service Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the ASP.NET Core project templates. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.

A Denial of Service vulnerability exists in ASP.NET Core project templates which utilize JWT-based authentication tokens. This vulnerability allows an unauthenticated client to consume arbitrarily large amounts of server memory, potentially triggering an out-of-memory condition on the server and making the server no longer able to respond to legitimate requests.

Announcement

Announcement for this issue can be found at dotnet/announcements#290

Mitigation factors

This impacts only .NET Core-based projects that were created using any version of project templates listed in affected software.
Other project templates e.g., console applications, MAUI applications, Windows Forms or WPF applications, are not affected.

Affected software

This impacts only .NET Core-based projects that were created using any version of the below project templates.

  • ASP.NET Core Web App (Model-View-Controller)
  • ASP.NET Core Web API
  • ASP.NET Core Web App (Razor Pages)
  • Blazor Server App
  • Blazor WebAssembly App

Advisory FAQ

How do I know if I am affected?

If you are you using project templates listed in affected software, you may be exposed to the vulnerability.

How do I fix the issue?

For existing projects:

If you ever created any of these projects via the dotnet new command or via Visual Studio's File -> New Project gesture, and if you enabled federated authentication at project creation time, your project may be vulnerable. To remediate the vulnerability, use your package manager to update any references you may have to the Microsoft.AspNetCore.Authentication.JwtBearer, Microsoft.AspNetCore.Authentication.OpenIdConnect, and Microsoft.IdentityModel.JsonWebTokens packages to their respective latest versions.

If your project does not reference any of those three packages, you are not exposed to this vulnerability.

For new projects:

To remediate this issue please update to the latest SDK listed below. Simply installing the SDK update is not sufficient to remediate projects already-created / already-deployed projects which existed prior to this update being released.

  • To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
  • If you are using one of the affected packages, please update to the patched version listed above.
  • If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
.NET Core SDK (reflecting any global.json):

 Version:   7.0.200
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\7.0.300\

Host (useful for support):

  Version: 76.0.5
  Commit:  8473146e7d

.NET Core SDKs installed:

  7.0.200 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspNetCore.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

.NET 6.0, .NET 7.0, .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If you have found a potential security issue in .NET 8.0 or .NET 7.0 or .NET 6.0, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Acknowledgement

Morgan Brown, Microsoft Corp.

External Links

CVE-2024-21319

critical: 0 high: 0 medium: 1 low: 0 System.IdentityModel.Tokens.Jwt 6.24.0 (nuget)

pkg:nuget/[email protected]

medium 6.8: CVE--2024--21319 Uncontrolled Resource Consumption

Affected range>=6.5.0
<6.34.0
Fixed version6.34.0
CVSS Score6.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Description

Microsoft Security Advisory CVE-2024-21319: .NET Denial of Service Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the ASP.NET Core project templates. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.

A Denial of Service vulnerability exists in ASP.NET Core project templates which utilize JWT-based authentication tokens. This vulnerability allows an unauthenticated client to consume arbitrarily large amounts of server memory, potentially triggering an out-of-memory condition on the server and making the server no longer able to respond to legitimate requests.

Announcement

Announcement for this issue can be found at dotnet/announcements#290

Mitigation factors

This impacts only .NET Core-based projects that were created using any version of project templates listed in affected software.
Other project templates e.g., console applications, MAUI applications, Windows Forms or WPF applications, are not affected.

Affected software

This impacts only .NET Core-based projects that were created using any version of the below project templates.

  • ASP.NET Core Web App (Model-View-Controller)
  • ASP.NET Core Web API
  • ASP.NET Core Web App (Razor Pages)
  • Blazor Server App
  • Blazor WebAssembly App

Advisory FAQ

How do I know if I am affected?

If you are you using project templates listed in affected software, you may be exposed to the vulnerability.

How do I fix the issue?

For existing projects:

If you ever created any of these projects via the dotnet new command or via Visual Studio's File -> New Project gesture, and if you enabled federated authentication at project creation time, your project may be vulnerable. To remediate the vulnerability, use your package manager to update any references you may have to the Microsoft.AspNetCore.Authentication.JwtBearer, Microsoft.AspNetCore.Authentication.OpenIdConnect, and Microsoft.IdentityModel.JsonWebTokens packages to their respective latest versions.

If your project does not reference any of those three packages, you are not exposed to this vulnerability.

For new projects:

To remediate this issue please update to the latest SDK listed below. Simply installing the SDK update is not sufficient to remediate projects already-created / already-deployed projects which existed prior to this update being released.

  • To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
  • If you are using one of the affected packages, please update to the patched version listed above.
  • If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
.NET Core SDK (reflecting any global.json):

 Version:   7.0.200
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\7.0.300\

Host (useful for support):

  Version: 76.0.5
  Commit:  8473146e7d

.NET Core SDKs installed:

  7.0.200 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspNetCore.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

.NET 6.0, .NET 7.0, .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If you have found a potential security issue in .NET 8.0 or .NET 7.0 or .NET 6.0, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Acknowledgement

Morgan Brown, Microsoft Corp.

External Links

CVE-2024-21319

critical: 0 high: 0 medium: 1 low: 0 System.IdentityModel.Tokens.Jwt 6.24.0.31013185938.779de3802c12c2b5331424e6079e76b06183757a (nuget)

pkg:nuget/System.IdentityModel.Tokens.Jwt@6.24.0.31013185938.779de3802c12c2b5331424e6079e76b06183757a

medium 6.8: CVE--2024--21319 Uncontrolled Resource Consumption

Affected range>=6.5.0
<6.34.0
Fixed version6.34.0
CVSS Score6.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Description

Microsoft Security Advisory CVE-2024-21319: .NET Denial of Service Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the ASP.NET Core project templates. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.

A Denial of Service vulnerability exists in ASP.NET Core project templates which utilize JWT-based authentication tokens. This vulnerability allows an unauthenticated client to consume arbitrarily large amounts of server memory, potentially triggering an out-of-memory condition on the server and making the server no longer able to respond to legitimate requests.

Announcement

Announcement for this issue can be found at dotnet/announcements#290

Mitigation factors

This impacts only .NET Core-based projects that were created using any version of project templates listed in affected software.
Other project templates e.g., console applications, MAUI applications, Windows Forms or WPF applications, are not affected.

Affected software

This impacts only .NET Core-based projects that were created using any version of the below project templates.

  • ASP.NET Core Web App (Model-View-Controller)
  • ASP.NET Core Web API
  • ASP.NET Core Web App (Razor Pages)
  • Blazor Server App
  • Blazor WebAssembly App

Advisory FAQ

How do I know if I am affected?

If you are you using project templates listed in affected software, you may be exposed to the vulnerability.

How do I fix the issue?

For existing projects:

If you ever created any of these projects via the dotnet new command or via Visual Studio's File -> New Project gesture, and if you enabled federated authentication at project creation time, your project may be vulnerable. To remediate the vulnerability, use your package manager to update any references you may have to the Microsoft.AspNetCore.Authentication.JwtBearer, Microsoft.AspNetCore.Authentication.OpenIdConnect, and Microsoft.IdentityModel.JsonWebTokens packages to their respective latest versions.

If your project does not reference any of those three packages, you are not exposed to this vulnerability.

For new projects:

To remediate this issue please update to the latest SDK listed below. Simply installing the SDK update is not sufficient to remediate projects already-created / already-deployed projects which existed prior to this update being released.

  • To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
  • If you are using one of the affected packages, please update to the patched version listed above.
  • If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
.NET Core SDK (reflecting any global.json):

 Version:   7.0.200
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\7.0.300\

Host (useful for support):

  Version: 76.0.5
  Commit:  8473146e7d

.NET Core SDKs installed:

  7.0.200 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspNetCore.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

.NET 6.0, .NET 7.0, .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If you have found a potential security issue in .NET 8.0 or .NET 7.0 or .NET 6.0, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Acknowledgement

Morgan Brown, Microsoft Corp.

External Links

CVE-2024-21319

critical: 0 high: 0 medium: 1 low: 0 Microsoft.IdentityModel.JsonWebTokens 6.24.0 (nuget)

pkg:nuget/[email protected]

medium 6.8: CVE--2024--21319 Uncontrolled Resource Consumption

Affected range>=6.5.0
<6.34.0
Fixed version6.34.0
CVSS Score6.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Description

Microsoft Security Advisory CVE-2024-21319: .NET Denial of Service Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the ASP.NET Core project templates. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.

A Denial of Service vulnerability exists in ASP.NET Core project templates which utilize JWT-based authentication tokens. This vulnerability allows an unauthenticated client to consume arbitrarily large amounts of server memory, potentially triggering an out-of-memory condition on the server and making the server no longer able to respond to legitimate requests.

Announcement

Announcement for this issue can be found at dotnet/announcements#290

Mitigation factors

This impacts only .NET Core-based projects that were created using any version of project templates listed in affected software.
Other project templates e.g., console applications, MAUI applications, Windows Forms or WPF applications, are not affected.

Affected software

This impacts only .NET Core-based projects that were created using any version of the below project templates.

  • ASP.NET Core Web App (Model-View-Controller)
  • ASP.NET Core Web API
  • ASP.NET Core Web App (Razor Pages)
  • Blazor Server App
  • Blazor WebAssembly App

Advisory FAQ

How do I know if I am affected?

If you are you using project templates listed in affected software, you may be exposed to the vulnerability.

How do I fix the issue?

For existing projects:

If you ever created any of these projects via the dotnet new command or via Visual Studio's File -> New Project gesture, and if you enabled federated authentication at project creation time, your project may be vulnerable. To remediate the vulnerability, use your package manager to update any references you may have to the Microsoft.AspNetCore.Authentication.JwtBearer, Microsoft.AspNetCore.Authentication.OpenIdConnect, and Microsoft.IdentityModel.JsonWebTokens packages to their respective latest versions.

If your project does not reference any of those three packages, you are not exposed to this vulnerability.

For new projects:

To remediate this issue please update to the latest SDK listed below. Simply installing the SDK update is not sufficient to remediate projects already-created / already-deployed projects which existed prior to this update being released.

  • To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
  • If you are using one of the affected packages, please update to the patched version listed above.
  • If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
.NET Core SDK (reflecting any global.json):

 Version:   7.0.200
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\7.0.300\

Host (useful for support):

  Version: 76.0.5
  Commit:  8473146e7d

.NET Core SDKs installed:

  7.0.200 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspNetCore.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 7.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

.NET 6.0, .NET 7.0, .NET 8.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If you have found a potential security issue in .NET 8.0 or .NET 7.0 or .NET 6.0, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Acknowledgement

Morgan Brown, Microsoft Corp.

External Links

CVE-2024-21319

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 26, 2024
edited
Loading

Test Results

441 tests  +1   408 ✅ +1   1m 47s ⏱️ -11s
  5 suites ±0    33 💤 ±0 
  5 files   ±0     0 ❌ ±0 

Results for commit 276a936. ± Comparison against base commit 2955576.

This pull request removes 16 and adds 17 tests. Note that renamed tests count towards both. 
EdFi.DataManagementService.Core.Tests.Unit.Backend.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('0')
EdFi.DataManagementService.Core.Tests.Unit.Backend.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('1')
EdFi.DataManagementService.Core.Tests.Unit.Backend.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('2')
EdFi.DataManagementService.Core.Tests.Unit.Backend.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('3')
EdFi.DataManagementService.Core.Tests.Unit.Backend.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('4')
EdFi.DataManagementService.Core.Tests.Unit.Backend.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('5')
EdFi.DataManagementService.Core.Tests.Unit.Backend.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('6')
EdFi.DataManagementService.Core.Tests.Unit.Backend.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('7')
EdFi.DataManagementService.Core.Tests.Unit.Backend.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('8')
EdFi.DataManagementService.Core.Tests.Unit.Backend.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('9')
…

EdFi.DataManagementService.Backend.Tests.Unit.DatabaseOptionsTests ‑ Should_read_write_isolation_level
EdFi.DataManagementService.Backend.Tests.Unit.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('0')
EdFi.DataManagementService.Backend.Tests.Unit.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('1')
EdFi.DataManagementService.Backend.Tests.Unit.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('2')
EdFi.DataManagementService.Backend.Tests.Unit.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('3')
EdFi.DataManagementService.Backend.Tests.Unit.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('4')
EdFi.DataManagementService.Backend.Tests.Unit.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('5')
EdFi.DataManagementService.Backend.Tests.Unit.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('6')
EdFi.DataManagementService.Backend.Tests.Unit.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('7')
EdFi.DataManagementService.Backend.Tests.Unit.PartitionUtilityTests+Given_A_Partitioned_Repository ‑ All_possible_last_bytes_return_correct_partition('8')
…

♻️ This comment has been updated with latest results.

@simpat-adam simpat-adam force-pushed the DMS-243 branch 4 times, most recently from 6f76de4 to a0caf49 Compare July 26, 2024 20:05
@simpat-adam simpat-adam marked this pull request as ready for review July 30, 2024 15:24
@simpat-adam simpat-adam requested a review from CSR2017 July 30, 2024 15:24
stephenfuqua
stephenfuqua reviewed Jul 30, 2024
View reviewed changes
eng/kubernetes/development/app-secret.yaml.example
postgres-admin-password: dG9wc2VjdXJl
database-connection-string: aG9zdD1kbXNkYjtwb3J0PTU0MzI7dXNlcm5hbWU9cG9zdGdyZXM7cGFzc3dvcmQ9dG9wc2VjdXJlO2RhdGFiYXNlPWVkZmlfZGF0YW1hbmFnZW1lbnRzZXJ2aWNlOw==
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The connection string is base64 encoded? Is there a Kubernetes readme that should make note of this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our README file points to the kubernetes secrets documentation which covers it. We could make it more explicit in our own README though.

src/appsettings.template.json
"DatabaseConnection": "${DATABASE_CONNECTION_STRING}"
},
"DatabaseOptions": {
"IsolationLevel": "${DATABASE_ISOLATION_LEVEL}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about moving this to the appSettings area above? This might be fine too. Open question.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be done either way but I isolated it here because the corresponding c# class in the backend project only needed this one property. It just felt cleaner in my brain to have "DatabaseOptions" {...} map to DatabaseOptions.cs

@bradbanister bradbanister merged commit dca7915 into main Jul 30, 2024
13 checks passed
@bradbanister bradbanister deleted the DMS-243 branch July 30, 2024 17:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephenfuqua stephenfuqua stephenfuqua left review comments

@bradbanister bradbanister bradbanister approved these changes

@CSR2017 CSR2017 Awaiting requested review from CSR2017

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@simpat-adam @bradbanister @stephenfuqua