CVE-2022-30130: .NET Framework Denial of Service Vulnerability

Overview

Severity

Low (CVSS 3.3)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

Category

Denial of Service

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-May

Released

2022-05-10

Last Updated

2022-12-15

EPSS Score

4.31% (percentile: 88.9%)

Affected Products (15)

Developer Tools

• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for 32-bit Systems Service Pack 1
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for 32-bit systems
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for x64-based systems
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows RT 8.1
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 4.6.2 on Windows Server 2008 for 32-bit Systems Service Pack 2
• Microsoft .NET Framework 4.6.2 on Windows Server 2008 for x64-based Systems Service Pack 2
• Microsoft .NET Framework 3.5 AND 4.6/4.6.2 on Windows 10 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.6/4.6.2 on Windows 10 for x64-based Systems

Security Updates (7)

• 5013870
• 5013837
• 5013872
• 5013839
• 5013871
• 5013838
• 5021243

Acknowledgments

<a href="https://twitter.com/3r4nz">Eran Zimmerman Gonen</a> with <a href="https://www.accenture.com/us-en/services/security-index">Accenture Security Israel</a>

Revision History

• 2022-05-10: Information published.
• 2022-08-09: To comprehensively address this vulnerability, Microsoft has released Monthly Rollup KB5016268 for .NET Framework 3.5 installed on Windows 8.1 and Windows Server 2012 R2. Microsoft strongly recommends that customers install the update to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
• 2022-12-02: In the Security Updates table made the following revisions: 1) Added .NET Framework 3.5 and 4.6.2 installed on Windows 10 for 32-bit Systems and Windows 10 for x65-based Systems as they are affected by this vulnerability. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. 2) Removed .NET Framework 4.6 and .NET Framework 4.6.1 installed on supported editions of Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 as these versions of .NET Framework are no longer supported.
• 2022-12-15: The following revisions have been made: 1) Added .NET Framework 3.5 and 4.6/4.6.2 installed on Windows 10 for 32-bit Systems and Windows 10 for x65-based Systems as .NET 4.6 installed on Windows 10 is supported. 2) Removed .NET Framework 3.5 and 4.6.2 installed on Windows 10 for 32-bit Systems and Windows 10 for x65-based Systems. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.