Low: .NET Core security update

Synopsis

Low: .NET Core security update

Type/Severity

Security Advisory: Low

Topic

A security update for .NET Core on RHEL is now available.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

New versions of .NET Core that address several security vulnerabilities are now available. The updated versions are .NET Core 1.0.8, 1.1.5 and 2.0.3.

Security Fix(es):

• By providing an invalid culture, an attacker can cause a recursive lookup that leads to a denial of service when running on certain Windows platforms. (CVE-2017-8585)
  
• Supplying a specially crafted certificate can cause an infinite X509Chain, resulting in a denial of service. (CVE-2017-11770)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• dotNET on RHEL (for RHEL Server) 1 x86_64
• dotNET on RHEL (for RHEL Workstation) 1 x86_64
• dotNET on RHEL (for RHEL Compute Node) 1 x86_64

Fixes

• BZ - 1512982 - CVE-2017-8585 dotNet: DDoS via invalid culture
• BZ - 1512992 - CVE-2017-11770 dotNET: DDos via bad certificate

CVEs

• CVE-2017-8585
• CVE-2017-11770

References

• https://access.redhat.com/security/updates/classification/#low
• https://github.com/dotnet/announcements/issues/34
• https://github.com/dotnet/announcements/issues/44
• https://github.com/dotnet/core/blob/master/release-notes/2.0/2.0.3.md
• https://github.com/dotnet/core/blob/master/release-notes/1.1/1.1.5.md
• https://github.com/dotnet/core/blob/master/release-notes/1.0/1.0.8.md