.Net Vulnerability leads to DDoS
Microsoft cranked out June 2020 updates to .NET Core 3.1 (and 2.1) to address a denial-of-service (DoS) vulnerability.
Officially, the flaw is called CVE-2020-1108 as listed in the Common Vulnerabilities and Exposures (CVE) system. The updates were announced in a June 9 blog post.
A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core or .NET Framework web application. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core or .NET Framework application.
The update addresses the vulnerability by correcting how the .NET Core or .NET Framework web application handles web requests.
“To comprehensively address CVE-2020-1108, Microsoft has released updates for .NET Core 2.1 and .NET Core 3.1. Customers who use any of these versions of .NET Core should install the latest version of .NET Core. See the Release Notes for the latest version numbers and instructions for updating .NET Core,” Microsoft said.
It says affected software includes:
Any .NET Core 2.1 application running on .NET Core 2.1.18 or lower
Any .NET Core 3.1 application running on .NET Core 3.1.4 or lower
Any .NET 5 application running on .NET 5 Preview 3 or lower