.NET Core January 2019 Updates – 2.1.7 and 2.2.1

Today, we are releasing the .NET Core January 2019 Update. These updates contain security and reliability fixes.

Security

CVE-2019-0545: .NET Core Information Disclosure Vulnerability

The security update addresses the vulnerability by enforcing Cross-origin Resource Sharing (CORS) configuration to prevent its bypass in .NET Core 2.1 and 2.2. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.

CVE-2019-0548: ASP.NET Core Denial Of Service Vulnerability

This security vulnerability exists in ASP.NET Core 1.0, 1.1, 2.1 and 2.2. If an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request to cause a Denial of Service.

CVE-2019-0564: ASP.NET Core Denial Of Service Vulnerability

This security vulnerability exists in ASP.NET Core 1.0, 1.1, 2.1 and 2.2. If an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request to cause a Denial of Service.

CVE-2018-8416: .NET Core Tampering Vulnerability

A security vulnerability exists wherein .NET Core 2.1 improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories.

To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system.

Windows ARM support

This release includes the first availability of .NET Core for Windows Server, version 1809 ARM32. Runtime zips can be found on the downloads page. The SDK zip is expected to be live on the 9th and this note will be updated when that happens.

Getting the Update

The latest .NET Core updates are available on the .NET Core download page. This update is included in the Visual Studio 15.9.5 update, which is also releasing today.

See the .NET Core release notes ( 2.1.7 | 2.2.1 ) for details on the release including a detailed commit list and affected files.

Docker Images

The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in “Staying up-to-date with .NET Container Images”.

microsoft/dotnet
microsoft/dotnet-samples
microsoft/aspnetcore

Azure App Services deployment

Update: Deployment of .NET Core 2.1.7 and 2.2.1 to Azure App Services is complete. 2.1.7 and 2.2.1 are available in all regions.