Address high-severity vulnerability CVE-2023-29331 in System.Security.Cryptography.Xml 6.0.1 and 7.0.1

[miksh7]

Please address high-severity vulnerability CVE-2023-29331 in

• System.Security.Cryptography.Xml 6.0.1 referencing vulnerable System.Security.Cryptography.Pkcs 6.0.1
• System.Security.Cryptography.Xml 7.0.1 referencing vulnerable System.Security.Cryptography.Pkcs 7.0.0

[teo-tsirpanis]

You can patch the vulnerability by updating System.Security.Cryptography.Pkcs yourself. Servicing releases of packages are not made if there are no changes in the packages themselves.

[ghost]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Please address high-severity vulnerability CVE-2023-29331 in

• System.Security.Cryptography.Xml 6.0.1 referencing vulnerable System.Security.Cryptography.Pkcs 6.0.1
• System.Security.Cryptography.Xml 7.0.1 referencing vulnerable System.Security.Cryptography.Pkcs 7.0.0

Author:	miksh7
Assignees:	-
Labels:	area-System.Security, untriaged
Milestone:	-

[miksh7]

You can patch the vulnerability by updating System.Security.Cryptography.Pkcs yourself. Servicing releases of packages are not made if there are no changes in the packages themselves.

@teo-tsirpanis, does it mean that you are fine distributing vulnerable components by default? Interesting...

[vcsjones]

cc @ViktorHofer and @ericstj for input on package dependencies here.

[ViktorHofer]

does it mean that you are fine distributing vulnerable components by default? Interesting...

No, if we would be redistributing that vulnerable Pkcs assembly in Xml we would need to patch the Xml package as well but that's not the case here. We are merely referencing the Pkcs package with a greater or equal (>=) version boundary.

[miksh7]

I've just created a new console NET6 app and added System.Security.Cryptography.Xml 6.0.1
Since you reference System.Security.Cryptography.Pkcs (>=6.0.1) Visual Studio installs the vulnerable System.Security.Cryptography.Pkcs 6.0.1. By default.

My understanding is that System.Security.Cryptography.Xml should reference

• System.Security.Cryptography.Pkcs (>=6.0.3)
• System.Security.Cryptography.Pkcs (>=7.0.2)
  

[ViktorHofer]

That's why @teo-tsirpanis mentioned above that you want to patch the vulnerable package yourself:

You can patch the vulnerability by updating System.Security.Cryptography.Pkcs yourself. Servicing releases of packages are not made if there are no changes in the packages themselves.

My colleague @carlossanlop works on a public facing document that describes the nuget package support policy. @carlossanlop @ericstj do you want to include a notice about how to patch vulnerable packages in that document as well?

[vcsjones]

I've just created a new console NET6 app and added System.Security.Cryptography.Xml 6.0.1

You should use the latest version of System.Security.Cryptography.Xml which 8.0. The 8.0 version of the package works fine with .NET 6.

[ViktorHofer]

You should use the latest version of System.Security.Cryptography.Xml which 8.0. The 8.0 version of the package works fine with .NET 6.

While the 8.0 package support net6.0, it's perfectly fine to use the 6.0.1 package though.

[miksh7]

Got it, we should trust nobody!
Note that other teams tend to publish new minor releases addressing any vulnerabilities in the reference libraries.
E.g. https://github.com/serilog-mssql/serilog-sinks-mssqlserver/releases/tag/v6.5.2
https://github.com/dotnet/SqlClient/releases/tag/v5.1.5

I just tried to make Microsoft software a little better and failed... You may close the ticket.

[dovrama]

Any update on this issue? Our tools started to pick this exact vulnerability.
For us, it comes from Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/7.0.16

[ViktorHofer]

Any update on this issue? Our tools started to pick this exact vulnerability.
For us, it comes from Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/7.0.16

As the EFCore packages release with every servicing release, just upgrade to the newer 7.0.17 version: https://www.nuget.org/packages/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/7.0.17

[dovrama]

Any update on this issue? Our tools started to pick this exact vulnerability.
For us, it comes from Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/7.0.16

As the EFCore packages release with every servicing release, just upgrade to the newer 7.0.17 version: https://www.nuget.org/packages/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/7.0.17

Same in 7.0.17, so I guess this wasn't addressed?

[ViktorHofer]

I misread, sorry. EFCore references Xml which references the vulnerable version of Pkcs. Same response as before: Runtime packages (i.e. Cryptography.Xml) are only serviced when they themselves are vulnerable. In this case, Cryptography.Xml wasn't vulnerable therefore a new package version didn't get released.

To upgrade a vulnerable transitive package to a patched version, reference it directly. In your case for 7.0 packages, you want to add the following to the projects that transitively reference the vulnerable version of Pkcs:

<PackageReference Include="System.Security.Cryptography.Pkcs" Version="7.0.3" />

Note that when using NuGet Central Package Management you can enable the transitive pinning feature and don't need the above. Instead you just add a PackageVersion element to your Directory.Packages.props file:

<PackageVersion Include="System.Security.Cryptography.Pkcs" Version="7.0.3" />

This auto-upgrades the transitive Pkcs dependency in all projects to the 7.0.3 patched version.

[dovrama]

I misread, sorry. EFCore references Xml which references the vulnerable version of Pkcs. Same response as before: Runtime packages (i.e. Cryptography.Xml) are only serviced when they themselves are vulnerable. In this case, Cryptography.Xml wasn't vulnerable therefore a new package version didn't get released.

To upgrade a vulnerable transitive package to a patched version, reference it directly. In your case for 7.0 packages, you want to add the following to the projects that transitively reference the vulnerable version of Pkcs:

<PackageReference Include="System.Security.Cryptography.Pkcs" Version="7.0.3" />

Note that when using NuGet Central Package Management you can enable the transitive pinning feature and don't need the above. Instead you just add a PackageVersion element to your Directory.Packages.props file:

<PackageVersion Include="System.Security.Cryptography.Pkcs" Version="7.0.3" />

This auto-upgrades the transitive Pkcs dependency in all projects to the 7.0.3 patched version.

Thanks for explanation, that's how we're currently circumventing the vulnerability.
But the thing is, it'd be nice if this would be fixed in the package itself, thus not needing such workarounds and everything being compliant out of the box.
Just wanted to bring in some light on this issue as I suppose there should be more people/projects affected.

[ViktorHofer]

@dovrama @miksh7 thank you for the valuable feedback. We appreciate it and I will make sure that it gets discussed internally. I'm closing this issue now given that I stated our current plan of record above.