efcore icon indicating copy to clipboard operation
efcore copied to clipboard
verified publisher icon dotnet

9.8 Critical CVE-2021-24112 Impacting Dependency

Open gravity-tthrockmorton opened this issue 2 years ago • 9 comments

I contacted Microsoft Security Response Center to resolve this and they told me to contact you all. You're currently using Microsoft.Data.SqlClient v5.0.1 in the live version available. This version is vulnerable to a remote code execution that was patched in v5.0.3. Please review and upgrade the package dependency to resolve this major security issue.

Response from MSRC:

Hello, Thank you for contacting the Microsoft Security Response Center (MSRC).   These types of support issues are not something that we can assist with directly.   This email thread has been closed and will no longer be monitored.  Regards, MSRC

------------------- Original Message -------------------

Are we able to retrofit Microsoft.Data.SqlClient v5.1.0 that is being used in the EFC v8 previews backwards into EFC v7? EFC v7.0.5 is currently using v5.0.1 which is vulnerable to https://www.cve.org/CVERecord?id=CVE-2021-24112.

gravity-tthrockmorton avatar May 17 '23 01:05 gravity-tthrockmorton

This version is vulnerable to a remote code execution that was patched in v5.0.3.

v5.0.3 of Microsoft.Data.SqlClient hasn't yet been released (see nuget). The next patch version of Microsoft.EntityFrameworkCore.SqlServer has been updated to depend on SqlClient v5.0.2 to resolve a memory leak bug, we can also bump to v5.0.3 if there's reason to do so.

Which specific remote code execution issue are you referring to? CVS-2021-24112 doesn't seem to have anything to do with Microsoft.Data.SqlClient, but rather with .NET, and is from 2021.

roji avatar May 17 '23 09:05 roji

@roji It's a supply chain attack. The vulnerable package is System.Drawing.Common. This is consumed via this dependency path:

[email protected][email protected][email protected][email protected][email protected][email protected]

gravity-tthrockmorton avatar May 17 '23 10:05 gravity-tthrockmorton

Are the SqlClient maintainers aware of this? In which version has the dependency there been updated?

roji avatar May 17 '23 11:05 roji

I can post an issue over there and link it back to this for resolution once a patch is provided in case they aren't aware.

https://github.com/dotnet/SqlClient/issues/2040

gravity-tthrockmorton avatar May 17 '23 12:05 gravity-tthrockmorton

@roji Erik Ejlskov Jensen said they aren't going to make a 5.0.3 release and we should just upgrade to 5.1.1. I see that you're working with 5.1.0 in EFC 8. Is there a way to port that back or is there breaking changes there preventing it?

gravity-tthrockmorton avatar May 17 '23 15:05 gravity-tthrockmorton

Let's wait for the SqlClient owners to decide what to do with this.

roji avatar May 17 '23 15:05 roji

Seeing as SqlClient is going out of support next week and they don't appear to want to backport a fix for a supply chain attack, is there breaking changes in the newer SqlClient versions that would affect the ability to do a backport? It doesn't seem appropriate to wait until EFC 8 for a resolution to a supply chain attack announced over 2 years ago.

gravity-tthrockmorton avatar Jul 11 '23 15:07 gravity-tthrockmorton

@gravity-tthrockmorton Just add an explicit reference to MDS 5.1.1 or newer. No breaking changes.

ErikEJ avatar Jul 11 '23 16:07 ErikEJ

If there are no breaking changes then EF Core should update its reference to SqlClient. Installing an insecure (and soon out of support) dependency by default is not good.

cremor avatar Jul 11 '23 16:07 cremor

Any update on upgrading this package dependency since it goes out of support in 2 days? .NET 8 isn't released for 5 more months and .NET 7 is in support until May of next year. Seeing as this is a 9.8 out of 10 vulnerability, this should be patched within the source control to minimize supply chain attack disruption. Most consumers will not know of the vulnerability and use EFCore standalone consuming the vulnerability along with it.

gravity-tthrockmorton avatar Jul 17 '23 12:07 gravity-tthrockmorton

@gravity-tthrockmorton We plan to update the referenced version to 5.1. However, nothing is preventing you doing this yourself.

ajcvickers avatar Jul 17 '23 12:07 ajcvickers

@ajcvickers I would, however, the project is already using 5.1.1 so the problem isn't in the source control. The problem is that the admins of the project need to recompile and deploy a new binary to NuGet.

gravity-tthrockmorton avatar Jul 17 '23 12:07 gravity-tthrockmorton

@gravity-tthrockmorton No, I mean you never have to use the default package versions that EF ships. NuGet allows you to update any package to a newer version. So, if you want to use 5.1.1, then go for it.

ajcvickers avatar Jul 17 '23 12:07 ajcvickers

@ajcvickers I myself already have. However this is a 9.8 / 10 CVE from 2.5 years ago. This has been an open issue for 3 months. There is 0 reason that a new bug fix package shouldn't have already been issued. 9.8 CVEs are drop everything and fix now so that we don't get sued for negligence. Most company policies rate in low, medium, high categories. At companies I've worked for, anything rated high has to be resolved within 7 days or the application has to be taken offline until it's resolved.

gravity-tthrockmorton avatar Jul 17 '23 12:07 gravity-tthrockmorton

This also usually means new development ceases until it's resolved as well.

gravity-tthrockmorton avatar Jul 17 '23 13:07 gravity-tthrockmorton

Should be fixed by https://github.com/dotnet/efcore/pull/31286

Saibamen avatar Jul 21 '23 20:07 Saibamen

Will be fixed in EFC 7.0.10

Saibamen avatar Aug 04 '23 07:08 Saibamen