Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service

Executive Summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of ASP.NET Core MVC 1.1.0. This advisory also provides guidance on what developers can do to update their applications correctly.

Microsoft is aware of a security vulnerability in the public version of ASP.NET Core MVC 1.1.0 where a malformed HTTP request could lead to a denial of service.

ASP.NET Core is next generation of ASP.NET that provides a familiar and modern framework for web and cloud scenarios, running on top of .NET Core. These products are actively developed by the ASP.NET team in collaboration with a community of open source developers, running on Windows, Mac OS X and Linux. When ASP.NET Core was released, the version number was reset to 1.0.0 to reflect the fact that it is a separate product from its predecessor - ASP.NET.

Developers are advised to update all apps to use package version 1.1.1 or greater.

Mitigating Factors

Only applications targeting ASP.NET Core 1.1.0 are affected. Applications targeting ASP.NET Core 1.0.0, 1.0.1 or 1.02 are not affected.

Affected Software

The vulnerability affects any Microsoft ASP.NET Core project if it uses the following affected package version.

Affected package and version
Package name Package version
Microsoft.AspNetCore.Mvc.Core 1.1.0

Advisory FAQ

How do I know if I am affected?

ASP.NET Core has two different types of dependencies, direct and transitive. If your project has a direct or transitive dependency on Microsoft.AspNetCore.Mvc.Core version 1.1.0 you are affected.

.NET Core Project formats

.NET Core has two different project file formats, depending on what software created the project.

  1. project.json is the original format, included in .NET Core 1.0 and Visual Studio 2015.
  2. csproj is the format used in Visual Studio 2017.

You must ensure you follow the correct update instructions for your project type.

Direct Dependencies

Direct dependencies are dependencies where you specifically add a package to your project. For example, if you add the Microsoft.AspNetCore.Mvc package to your project then you have taken a direct dependency on Microsoft.AspNetCore.Mvc.

Direct dependencies are discoverable by reviewing your project.json or csproj file.

Transitive Dependencies

Transitive dependencies occur when you add a package to your project that in turn relies on another package. For example, if you add the Microsoft.AspNetCore.Mvc package to your project it depends on the Microsoft.AspNetCore.Mvc.Core package (amongst others). Your project has a direct dependency on Microsoft.AspNetCore.Mvc and a transitive dependency on the Microsoft.AspNetCore.Mvc.Core package.

Transitive dependencies are reviewable in the Visual Studio Solution Explorer window, which supports searching, or by reviewing the project.lock.json file contained in the root directory of your project for project.json projects or the project.assets.json file contained in the obj directory of your project for csproj projects. These files are the authoritative list of all packages used by your project, containing both direct and transitive dependencies.

Any ASP.NET Core MVC 1.1 application will have a dependency on the affected package, either direct or transitive.

How do I fix my affected app?

You will need to fix both direct dependencies and review and fix any transitive dependencies. Version 1.1.1 of the vulnerable package contains the fixes required to secure your app...

Read more: Microsoft Security Advisory 4010983