System.Text.Encodings.Web Vulnerability

A vulnerability with a .NET library that you should aim to fix promptly outside your usual cycle: https://github.com/dotnet/runtime/issues/49377.

The problem is in System.Text.Encodings.Web, which is included out of the box in the runtime for anything based off Microsoft.NETCore.App.

The issue is misleading on the face of it, as this package is also used in .NET Framework applications directly as a NuGet.

.NET Core / NET 5

It should be adequate to update the runtime on the box and restart the application. (3.1.13 or 2.1.26)

If it’s a self-contained application then it needs to be rebuilt and redeployed from an agent with the updated runtime. Note that if you include the following in i.e. an AzDo pipeline yaml, it will automatically pull the SDK v3.1.407 in, which includes the fix.

task: UseDotNet@2
displayName: 'Use .NET Core sdk'
inputs:
packageType: sdk
version: 3.1.x
installationPath: $(Agent.ToolsDirectory)\\dotnet

If you’ve enabled the new Windows Update feature for .NET Core then just check that happened!

.NET Framework

Update the package to a version that is not vulnerable and redeploy (4.5.1, 4.7.2, 5.0.1).