CVE-2022-41064: .NET Framework Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 5.8)

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Nov

Released

2022-11-08

Last Updated

2023-02-01

EPSS Score

0.17% (percentile: 37.9%)

FAQ

If I am using System.Data.SqlClient or Microsoft.Data.SqlClient, what do I need to do to be protected from this vulnerability? Customers using either the System.Data.SqlClient or Microsoft.Data.SqlClient NuGet Packages need to do the following to be protected: If you are using System.Data.SqlClient on .NET Framework you must install the November update for .NET Framework If you are using System.Data.SqlClient on .NET Core, .NET 5 or .NET 6 you must update the nuget package to an updated version as listed in the affected packages. If you are using Microsoft.Data.SqlClient, anywhere (.NET Core, .NET 5/6, .NET Framework) and you are using a version that is vulnerable you must update as listed in the affected packages. Please see Microsoft Security Advisory CVE 2022-41064 | .NET Information Disclosure Vulnerability for more information. According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability? Exploiting this vulnerability requires an attacker to be within the SQL Connection Pool. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to exhaust all the threads in the thread pool. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? In this case, a successful attack could cause the attacker access queries from other users in the SQL Connection Pool.

Affected Products (80)

Developer Tools

• Nuget 2.1.2
• Nuget 4.8.5
• Microsoft .NET Framework 4.8 on Windows 10 Version 21H2 for ARM64-based Systems
• Microsoft .NET Framework 4.8 on Windows Server 2012 R2
• Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for 32-bit Systems
• Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2019
• Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.8 on Windows 10 Version 21H1 for 32-bit Systems
• Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for x64-based Systems
• Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systems
• Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systems
• Microsoft .NET Framework 4.8 on Windows Server 2016
• Microsoft .NET Framework 4.8 on Windows 10 Version 20H2 for ARM64-based Systems
• Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems
• Microsoft .NET Framework 4.8 on Windows Server 2012
• Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows 10 Version 21H2 for 32-bit Systems
• Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1
• Microsoft .NET Framework 4.8 on Windows 10 Version 21H1 for x64-based Systems
• Microsoft .NET Framework 4.8 on Windows RT 8.1
• Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows 10 Version 20H2 for 32-bit Systems
• Microsoft .NET Framework 4.8 on Windows 10 Version 21H1 for ARM64-based Systems
• Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016
• Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for x64-based Systems
• Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for 32-bit Systems
• Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems
• Microsoft .NET Framework 4.7.2 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 4.7.2 on Windows Server 2019
• Microsoft .NET Framework 4.8 on Windows 10 Version 21H2 for x64-based Systems
• Microsoft .NET Framework 4.8.1 on Windows 10 Version 21H1 for x64-based Systems
• Microsoft .NET Framework 4.8.1 on Windows 10 Version 21H1 for ARM64-based Systems
• Microsoft .NET Framework 4.8.1 on Windows 10 Version 21H1 for 32-bit Systems
• Microsoft .NET Framework 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems
• Microsoft .NET Framework 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems
• Microsoft .NET Framework 4.8.1 on Windows 10 Version 21H2 for x64-based Systems
• Microsoft .NET Framework 4.8 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.8.1 on Windows 11 Version 22H2 for x64-based Systems
• Microsoft .NET Framework 4.8.1 on Windows 11 version 21H2 for ARM64-based Systems
• Microsoft .NET Framework 4.8 on Windows 10 Version 22H2 for x64-based Systems
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.8 on Windows 10 Version 22H2 for ARM64-based Systems
• ... and 30 more

Security Updates (26)

• Release Notes
• 5020687
• 5020690
• 5020680
• 5020685
• 5020688
• 5020678
• 5020685
• 5020614
• 5020689
• 5020679
• 5019964
• 5020685
• 5020801
• 5020689
• 5020679
• 5020622
• 5020695
• 5020688
• 5020678
• 5020690
• 5020680
• 5020695
• 5020692
• 5020692
• 5019970

Revision History

• 2022-11-08: Information published.
• 2022-11-10: Corrected Download and Article links in the Security Updates table. This is an informational change only.
• 2022-11-14: In the Security Updates table, added .NET Framework 4.8 installed on supported editions of Windows Server 2022, and added .NET Framework 4.8.1 installed on supported editions of Windows Server 2022 as these versions of Window Server 2022 with .NET Framework 4.8 or 4.8.1 installed are affected by this vulnerability. Customers running these versions of .NET Framework should install the November 2022 security updates to be protected from this vulnerability.
• 2022-11-15: In the Security Updates table, removed unsupported version of .NET Framework on Windows 10 version 1809. This is an informational update only.
• 2022-12-15: The following revisions have been made: 1) Added .NET Framework 4.6/4.6.2 installed on Windows 10 for 32-bit Systems and Windows 10 for x65-based Systems as .NET 4.6 installed on Windows 10 is supported. 2) Removed .NET Framework 4.6.2 installed on Windows 10 for 32-bit Systems and Windows 10 for x65-based Systems. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
• 2023-02-01: In the Security Updates table, added .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 installed on supported editions of Windows Server 2016 and Windows 10 version 1607 as these versions of Windows with .NET Framework AND 4.6.2/4.7/4.7.1/4.7.2 installed are affected by this vulnerability. Customers running these versions of .NET Framework should install the November 2022 security updates to be protected from this vulnerability.