Bug 1512982 – CVE-2017-8585 .NET Core: DoS via invalid culture

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1512982 - (CVE-2017-8585) CVE-2017-8585 .NET Core: DoS via invalid culture

Summary:	CVE-2017-8585 .NET Core: DoS via invalid culture

Status:	CLOSED ERRATA

Aliases:	CVE-2017-8585

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20171114:1200,repor...
Keywords:	Security

Depends On:	1513073 1513074 1513076 1513077
Blocks:	1512757
	Show dependency tree / graph

Reported:	2017-11-14 09:46 EST by Trevor Jay
Modified:	2018-01-10 05:28 EST (History)
CC List:	7 users (show)

See Also:
Fixed In Version:	dotnetcore 1.0.7, dotnetcore 1.1.4
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-12-01 06:34:12 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3248	normal	SHIPPED_LIVE	Low: .NET Core security update	2017-11-30 16:45:28 EST

Groups: None (edit)

Description Trevor Jay 2017-11-14 09:46:20 EST

By providing an invalid culture, an attacker can cause a recursive lookup that leads to a denial of service.

Comment 3 Omair Majid 2017-11-15 15:32:39 EST

The upstream note about this CVE (https://github.com/dotnet/announcements/issues/34) states:

"""
System administrators are advised to update their .NET Core runtimes to versions 1.0.7 and 1.1.4.
"""

It looks like this was fixed even before .NET Core 1.1.5 and 1.0.8.

The announcement also states:

"""
.NET Core 1.x applications are only affected if running on Windows 10 or Windows 2016.
"""

This doesnt appear to affect Linux. But due to how self-contained applications can be built for other platforms, this needs to be fixed everywhere.

Comment 4 errata-xmlrpc 2017-11-20 06:46:13 EST

This issue has been addressed in the following products:

  dotNET on RHEL

Via RHSA-2017:3248 https://access.redhat.com/errata/RHSA-2017:3248

Comment 5 Tomas Hoger 2017-12-01 06:34:12 EST

Further details of this issue can be found in the upstream Microsoft advisories, and the advisory form the original reporter.

https://github.com/dotnet/announcements/issues/34
https://github.com/dotnet/corefx/issues/24703
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8585
https://www.sidertia.com/Home/Community/Blog/2017/07/14/Microsoft-fixes-the-CVE-2017-8585-security-vulnerability-discovered-by-Sidertia-Team

Comment 6 Tomas Hoger 2017-12-01 06:35:04 EST

External References:

https://github.com/dotnet/announcements/issues/34
https://www.sidertia.com/Home/Community/Blog/2017/07/14/Microsoft-fixes-the-CVE-2017-8585-security-vulnerability-discovered-by-Sidertia-Team

Note You need to log in before you can comment on or make changes to this bug.