Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Component Governance: Need to upgrade dependencies. (CVE-2020-1045) (CVE-2021-26701) #2199

Closed
TimothyMothra opened this issue Apr 1, 2021 · 5 comments · Fixed by #2243
Closed

Component Governance: Need to upgrade dependencies. (CVE-2020-1045) (CVE-2021-26701) #2199

TimothyMothra opened this issue Apr 1, 2021 · 5 comments · Fixed by #2243
Assignees
@TimothyMothra
Labels
FUNdamentals P1
Milestone
2.18

Comments

@TimothyMothra
Copy link
Member

TimothyMothra commented Apr 1, 2021
edited
Loading

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1045

  • Upgrade to version Microsoft.AspNetCore.App - 2.1.22, Microsoft.AspNetCore.All - 2.1.22,Microsoft.NETCore.App - 2.1.22, Microsoft.AspNetCore.Http - 2.1.22

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701

  • Upgrade to version System.Text.Encodings.Web - 4.5.1,4.7.2,5.0.1

Package at fault:

  • Microsoft.ApplicationInsights.AspNetCore
    • Microsoft.AspNetCore.Hosting v2.1.1
      • Microsoft.AspNetCore.Http v2.1.1 <----- CVE-2020-1045
      • Microsoft.AspNetCore.Hosting.Abstractions v2.1.1
        • Microsoft.AspNetCore.Http.Abstractions v2.2.0

ApplicationInsights-dotnet/NETCORE/src/Microsoft.ApplicationInsights.AspNetCore/Microsoft.ApplicationInsights.AspNetCore.csproj

Lines 47 to 56 in 2b19327

<ItemGroup Condition="'$(TargetFramework)' == 'net452' OR '$(TargetFramework)' == 'net46' ">
<Reference Include="System" />
<Reference Include="Microsoft.CSharp" />
<PackageReference Include="Microsoft.AspNetCore.Hosting" Version="1.1.3" />
</ItemGroup>
<ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' OR '$(TargetFramework)' == 'net461' ">
<PackageReference Include="Microsoft.AspNetCore.Hosting" Version="2.1.1" />
</ItemGroup>

Remediation

  • Upgrading to Microsoft.AspNetCore.Hosting v2.2.0 will upgrade Microsoft.AspNetCore.Http to v2.2.0.
  • We must take a temporary explicit dependency on System.Text.Encodings.Web until one of the other dependencies in this chain is updated.
@TimothyMothra TimothyMothra added this to the 2.18 milestone Apr 1, 2021
@TimothyMothra TimothyMothra self-assigned this Apr 1, 2021
@jayman-dalal
Copy link

We are also dependent on getting the updated Microsoft.ApplicationInsights.AspNetCore due to CVE-2021-26701. What is the ETA for the update?

@DmytryEmery
Copy link

Also wondering this.

This is causing compliance violations for CVE-2021-26701 because of dependencies on older versions of: System.Text.Encodings.Web

@ghost
Copy link

ghost commented Apr 7, 2021

2.18 Milestone due date is May 31, is that the ETA?

@TimothyMothra
Copy link
Member Author

Yes, the ETA is end of May.

As a workaround, you can take an explicit dependency on these packages.

This was referenced Apr 29, 2021
Merged
Closed
@TimothyMothra TimothyMothra linked a pull request May 6, 2021 that will close this issue
[SDL] update packages #2243
Merged
4 tasks
@TimothyMothra
Copy link
Member Author

This is a summary of the changes we made for this issue in #2243:

<ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' OR '$(TargetFramework)' == 'net461' ">
    <!--
    Microsoft.AspNetCore.Http has a vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1045
    System.Text.Encodings.Web has a vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26701 
    
    These are both implicit dependencies from Microsoft.AspNetCore.Hosting.
    (Microsoft.AspNetCore.Hosting > Microsoft.AspNetCore.Http)
    (Microsoft.AspNetCore.Hosting > Microsoft.AspNetCore.Hosting.Abstractions > Microsoft.AspNetCore.Http.Abstractions > System.Text.Encodings.Web)
    -->

    <!--
    Taking a dependency on Microsoft.AspNetCore.Hosting v2.2.0 would resolve this issue, but would also break support for NetCore v2.1.
    Instead I'm taking a direct dependency on the fixed version Microsoft.AspNetCore.Http.
    We can remove this when NetCore v2.1 reaches EOL on August 21, 2021.
    -->
    <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.1.22" />

    <!-- 
    We must take a temporary dependency on this newer version until Microsoft.AspNetCore.Hosting updates their dependencies.
    -->
    <PackageReference Include="System.Text.Encodings.Web" Version="4.5.1" />
  </ItemGroup>

@arjunbalgovind arjunbalgovind mentioned this issue Jun 17, 2021
Closed
@TimothyMothra TimothyMothra mentioned this issue Jun 29, 2021
Closed
@TimothyMothra TimothyMothra changed the title Component Governance: Need to upgrade dependencies. Component Governance: Need to upgrade dependencies. (CVE-2020-1045) (CVE-2021-26701) Jul 10, 2021
@patelriki13 patelriki13 mentioned this issue Jan 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TimothyMothra TimothyMothra

Labels
FUNdamentals P1
Projects
None yet
Milestone
2.18
Development

Successfully merging a pull request may close this issue.

[SDL] update packages microsoft/ApplicationInsights-dotnet
3 participants
@DmytryEmery @TimothyMothra @jayman-dalal