Microsoft Security Advisory CVE-2024-0056: Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability #292
Labels
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Microsoft Security Advisory CVE-2024-0056: Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET's System.Data.SqlClient and Microsoft.Data.SqlClient NuGet Packages. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in the Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider where an attackercan perform an AiTM (adversary-in-the-middle) attack between the SQL client and the SQL server. This may allow the attacker to steal authentication credentials intended for the database server, even if the connection is established over an encrypted channel like TLS.
Mitigation factors
If you are not using the System.Data.SqlClient or Microsoft.Data.SqlClient package libraries within your application, you are not affected by this vulnerability.
Affected packages
Advisory FAQ
How do I know if I am affected?
Any application that has a direct or transitive dependency on the affected packages listed above are vulnerable.
How do I fix the issue?
If you are using the System.Data.SqlClient package from a .NET Framework (any version) application, you must install the January 2024 .NET Framework updates made available via Windows Update or Microsoft Update. You should also consider updating the System.Data.SqlClient package as keeping dependencies up to date is good general hygiene, but updating this package is neither necessary nor sufficient to fix the issue in a .NET Framework-based application.
If you don't know the difference between Microsoft.Data.SqlClient and System.Data.SqlClient please read the Microsoft.Data.SqlClient initial announcement for an explanation,
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 6.0 or .NET 7.0 or .NET 8.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
CVE-2024-0056
Revisions
V1.0 (January 09, 2024): Advisory published.
Version 1.0
Last Updated 2024-01-09
The text was updated successfully, but these errors were encountered: