C
C#4mo ago
HokiePokeDad

✅ .NET 8 CVE-2024-38167 and updating project references

I'm stuck between a rock and a hard place here. The majority of our applications and projects are typically up-to-date when the latest patches for .NET 8 and other dependencies in NuGet. Our vulnerability scanner is reporting the versions of various assemblies referenced, in this case System.Text.Json.dll, are vulnerable due to CVE-2024-38167 (https://nvd.nist.gov/vuln/detail/CVE-2024-38167). The published CVE notes that the latest non-vulnerable version is 8.0.8; however, the latest publicly released version is 8.0.4, with a few pre-release versions. When published, our projects show a version of 8.0.7. How would I go about upgrading to 8.0.8 if it's not available via NuGet?
7 Replies
HokiePokeDad
HokiePokeDadOP4mo ago
https://www.nuget.org/packages/System.Text.Json#versions-body-tab
System.Text.Json 8.0.4
Provides high-performance and low-allocating types that serialize objects to JavaScript Object Notation (JSON) text and deserialize JSON text to objects, with UTF-8 support built-in. Also provides types to read and write JSON text encoded as UTF-8, and to create an in-memory document object model (DOM), that is read-only, for random access of th...
leowest
leowest4mo ago
my understanding is not that system.text.json is vulnerable but how its being delivered/transmitted.
leowest
leowest4mo ago
HokiePokeDad
HokiePokeDadOP4mo ago
Yes, I get that much and the responsibility is on our end to ensure proper measure are taken to secure channels. The other part to this is the information disclosure: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38167 The patch for this is 8.0.8. In order for us to release new versions of our application, we have to remediate by upgrading to the latest version. Before I reach out to our security group about this, I was hoping to see if there was any other insight on if it's possible to update our references to 8.0.8?
Security Update Guide - Microsoft Security Response Center
leowest
leowest4mo ago
8.0.8 is the runtime AFAIK https://dotnet.microsoft.com/en-us/download/dotnet/8.0 for the sdk it will be .4xx but I dont think you will have everything versioned as such that would be a better question to face at the github https://github.com/dotnet/core/issues
HokiePokeDad
HokiePokeDadOP4mo ago
ok thank you! following up... this is my mistake. we build our applications as self-contained on external build servers. these build servers have the vulnerable sdk and runtimes installed on them and therefore was packaging the wrong versions. updating them to 8.0.401 sdk and 8.0.8 runtime fixed our issues and are now using patched versions.
MODiX
MODiX4mo ago
If you have no further questions, please use /close to mark the forum thread as answered
Want results from more Discord servers?
Add your server