- Author|Insect safety
- Source|Today's headlines
- Release time|2021-03-11
On March 10, Microsoft issued a security bulletin, notifying the remote execution vulnerability of the .NET architecture component System.Text.Encodings.Web. The scope of influence includes NET 5.0, .NET Core 3.1 and .NET Core 2.1.
Due to the way text encoding is performed, there is a remote code execution vulnerability in .NET 5 and .NET Core.
Mitigation method
Microsoft has not yet discovered any mitigating factors for this vulnerability.
Sphere of influence
The package affected by the vulnerability is System.Text.Encodings.Web. Upgrade the software package and redeploy the application to solve the problem. The current corresponding security versions are 4.5.1, 4.7.7 and 5.0.1.
Based on .NET 5, .NET Core or .NET Framework, any application published using the System.Text.Encodings.Web package.
Note : .NET Core 3.0 has been discontinued, and all applications should be updated to 3.1.
Vulnerability detection
Vulnerabilities can be detected based on the currently used version, the runtime or SDK of the listed version, and the affected version range listed above. Run the dotnet --info command through cmd to list the installed version commands. The command output is similar to the following information.
.NET SDK (反映任何 global.json):
Version: 5.0.201
Commit: a09bd5c86c
运行时环境:
OS Name: Windows
OS Version: 10.0.18362
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\5.0.201\
Host (useful for support):
Version: 5.0.4
Commit: f27d337295
.NET SDKs installed:
5.0.201 [C:\Program Files\dotnet\sdk]
.NET runtimes installed:
Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Vulnerability resolution
To solve this problem, you need to install the latest version of .NET 5.0, .NET Core 3.1 or .NET Core 2.1. If one or more .NET Core SDKs are installed in Visual Studio, VS will prompt to update Visual Studio and automatically update the .NET Core SDK.
For .NET 5.0, please download and install Runtime 5.0.4 or SDK 5.0.104 (for Visual Studio 2019 v16.8).
For .NET Core 3.1, you should download and install Runtime 3.1.13 or SDK 3.1.113 (for Visual Studio 2019 v16.4) or 3.1.406 (for Visual Studio 2019 v16.5 or higher)
. NET Core 2.1, you should download and install Runtime 2.1.26 or SDK 2.1.522 (for Visual Studio 2019 v15.9) or 2.1.814.
Microsoft Update also provides updates for .NET 5.0, .NET Core 3.1 and .NET Core 2.1. To access this file, type "check for updates" in Windows search, or open "Settings", select "Update and Security", and click "Check for Updates."
After installing the updated runtime or SDK, please restart the application for the update to take effect.
For deployed independent applications, for any affected version, these applications are also vulnerable to attacks and must be recompiled and redeployed.
