ID

VAR-202001-0122


CVE

CVE-2020-0602


TITLE

ASP.NET Core Denial of service in Japan (DoS) Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-001114

DESCRIPTION

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'. "Denial of service (DoS) May be in a state. Microsoft ASP.NET Core is a cross-platform open source framework from Microsoft Corporation in the United States. The framework is used to build cloud-based applications such as web applications, IoT applications, and mobile backends. The vulnerability stems from the software's incorrect handling of web requests. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: .NET Core on Red Hat Enterprise Linux security and bug fix update Advisory ID: RHSA-2020:0134-01 Product: .NET Core on Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:0134 Issue date: 2020-01-16 CVE Names: CVE-2020-0602 CVE-2020-0603 ==================================================================== 1. Summary: An update for rh-dotnet30-dotnet and rh-dotnet31-dotnet is now available for .NET Core on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. The updated versions are .NET Core SDK 3.0.102, .NET Core Runtime 3.0.2, .NET Core SDK 3.1.101 and .NET Core Runtime 3.1.1. Security Fixes: * dotnet: Memory Corruption in SignalR (CVE-2020-0603) * dotnet: SignalR Denial of Service via backpressure issue (CVE-2020-0602) Users must rebuild their applications to pick up the fixes. Default inclusions for applications built with .NET Core have been updated to reference the newest versions and their security fixes. For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1787151 - Update .NET Core 3.0 to Runtime 3.0.2 and SDK 3.0.102 1787174 - Update .NET Core 3.1 to Runtime 3.1.1 and SDK 3.1.101 1789623 - CVE-2020-0602 dotnet: Denial of service via backpressure issue 1789624 - CVE-2020-0603 dotnet: Memory Corruption in SignalR 6. Package List: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnet30-dotnet-3.0.102-3.el7.src.rpm x86_64: rh-dotnet30-aspnetcore-runtime-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-aspnetcore-targeting-pack-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-3.0.102-3.el7.x86_64.rpm rh-dotnet30-dotnet-apphost-pack-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-debuginfo-3.0.102-3.el7.x86_64.rpm rh-dotnet30-dotnet-host-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-hostfxr-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-runtime-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-sdk-3.0-3.0.102-3.el7.x86_64.rpm rh-dotnet30-dotnet-targeting-pack-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-templates-3.0-3.0.102-3.el7.x86_64.rpm rh-dotnet30-netstandard-targeting-pack-2.1-3.0.102-3.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnet31-dotnet-3.1.101-4.el7.src.rpm x86_64: rh-dotnet31-aspnetcore-runtime-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-3.1.101-4.el7.x86_64.rpm rh-dotnet31-dotnet-apphost-pack-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-debuginfo-3.1.101-4.el7.x86_64.rpm rh-dotnet31-dotnet-host-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-hostfxr-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-runtime-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-3.1.101-4.el7.x86_64.rpm rh-dotnet31-dotnet-targeting-pack-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-templates-3.1-3.1.101-4.el7.x86_64.rpm rh-dotnet31-netstandard-targeting-pack-2.1-3.1.101-4.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnet30-dotnet-3.0.102-3.el7.src.rpm x86_64: rh-dotnet30-aspnetcore-runtime-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-aspnetcore-targeting-pack-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-3.0.102-3.el7.x86_64.rpm rh-dotnet30-dotnet-apphost-pack-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-debuginfo-3.0.102-3.el7.x86_64.rpm rh-dotnet30-dotnet-host-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-hostfxr-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-runtime-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-sdk-3.0-3.0.102-3.el7.x86_64.rpm rh-dotnet30-dotnet-targeting-pack-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-templates-3.0-3.0.102-3.el7.x86_64.rpm rh-dotnet30-netstandard-targeting-pack-2.1-3.0.102-3.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnet31-dotnet-3.1.101-4.el7.src.rpm x86_64: rh-dotnet31-aspnetcore-runtime-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-3.1.101-4.el7.x86_64.rpm rh-dotnet31-dotnet-apphost-pack-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-debuginfo-3.1.101-4.el7.x86_64.rpm rh-dotnet31-dotnet-host-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-hostfxr-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-runtime-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-3.1.101-4.el7.x86_64.rpm rh-dotnet31-dotnet-targeting-pack-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-templates-3.1-3.1.101-4.el7.x86_64.rpm rh-dotnet31-netstandard-targeting-pack-2.1-3.1.101-4.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnet30-dotnet-3.0.102-3.el7.src.rpm x86_64: rh-dotnet30-aspnetcore-runtime-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-aspnetcore-targeting-pack-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-3.0.102-3.el7.x86_64.rpm rh-dotnet30-dotnet-apphost-pack-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-debuginfo-3.0.102-3.el7.x86_64.rpm rh-dotnet30-dotnet-host-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-hostfxr-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-runtime-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-sdk-3.0-3.0.102-3.el7.x86_64.rpm rh-dotnet30-dotnet-targeting-pack-3.0-3.0.2-3.el7.x86_64.rpm rh-dotnet30-dotnet-templates-3.0-3.0.102-3.el7.x86_64.rpm rh-dotnet30-netstandard-targeting-pack-2.1-3.0.102-3.el7.x86_64.rpm .NET Core on Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnet31-dotnet-3.1.101-4.el7.src.rpm x86_64: rh-dotnet31-aspnetcore-runtime-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-3.1.101-4.el7.x86_64.rpm rh-dotnet31-dotnet-apphost-pack-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-debuginfo-3.1.101-4.el7.x86_64.rpm rh-dotnet31-dotnet-host-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-hostfxr-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-runtime-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-3.1.101-4.el7.x86_64.rpm rh-dotnet31-dotnet-targeting-pack-3.1-3.1.1-4.el7.x86_64.rpm rh-dotnet31-dotnet-templates-3.1-3.1.101-4.el7.x86_64.rpm rh-dotnet31-netstandard-targeting-pack-2.1-3.1.101-4.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-0602 https://access.redhat.com/security/cve/CVE-2020-0603 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXiCQQ9zjgjWX9erEAQiA5g//U9AGfQhzgzrIja7zNdstcP61hqUbWM+j F2E4FpcJCJgjV3uDli4HsH6sIuzuKV5pVLhvNdbrAMSDJgOaWNJ+Otvmve0yPvY6 KjhAPMQnBjsJE5eUia6ZEIzhvjcHVwVbHQJrqIwLjvBrwHeo6fVWd/IHentdmM+3 FIh6uqClbh434gyq4Oi2MpTJ6G6z0+/siaA/tq4qubWJCtEWLfEXXhWsUL4ye59B edz+0qB0MYi2ZpgJtk0A8RRxtwcVN6KD+SnV2g25XjqwDNBhAfO3AlB1x0Mzo7HQ 2tcWLTpJPtYm8sZFZLOKAGm1hvTJhFnu4Vc5oL7b6paJYsU2Ud9URbakwiiiwzV+ XXLdMmvL63JVeP+cFWkqgI/UR8sdbaXrKFjJcnxNiUklPrrUIx3rq/E1yzCgqwMI M3RakcXDqCsaojoOAy/AMkPH1J2r8vyz08JTLC6Ik54m4Dz7/wGILwuVKXLuR1bM L6oLLZNrc5oxK4VM7Zb0IHaAeK/cOvxQWhglOPkDV4Got721TputjBeIEj8xiHc1 2s5zmndzaUfXm+PoqnFsfGggRErFLXaqwSpRWT2vn2MOXbrEbpPjmJs55tLXABhw 8DI+gmgFRHhE6A4yqvJMzaJGZCsCtUWWXowQEhiCNaymG9Kgx4BkRLNj2Mc15mOK EuYGFNW4Ux4\xadZz -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.88

sources: NVD: CVE-2020-0602 // JVNDB: JVNDB-2020-001114 // CNVD: CNVD-2020-16652 // CNNVD: CNNVD-202001-471 // PACKETSTORM: 155977 // PACKETSTORM: 155981

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-16652

AFFECTED PRODUCTS

vendor:microsoftmodel:asp.net corescope:eqversion:2.1

Trust: 3.0

vendor:microsoftmodel:asp.net corescope:eqversion:3.0

Trust: 3.0

vendor:microsoftmodel:asp.net corescope:eqversion:3.1

Trust: 3.0

vendor:redhatmodel:enterprise linuxscope:eqversion:8.0

Trust: 1.6

vendor:redhatmodel:enterprise linux eusscope:eqversion:8.1

Trust: 1.6

vendor:red hatmodel:enterprise linuxscope:eqversion:none

Trust: 0.8

vendor:red hatmodel:enterprise linuxscope:eqversion:eus

Trust: 0.8

sources: CNVD: CNVD-2020-16652 // JVNDB: JVNDB-2020-001114 // CNNVD: CNNVD-202001-471 // NVD: CVE-2020-0602

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-0602
value: HIGH

Trust: 1.0

NVD: CVE-2020-0602
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-16652
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202001-471
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-0602
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-16652
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-0602
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-0602
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-16652 // JVNDB: JVNDB-2020-001114 // CNNVD: CNNVD-202001-471 // NVD: CVE-2020-0602

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-400

Trust: 0.8

sources: JVNDB: JVNDB-2020-001114 // NVD: CVE-2020-0602

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-471

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202001-471

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-001114

PATCH

title:RHSA-2020:0130url:https://access.redhat.com/errata/RHSA-2020:0130

Trust: 0.8

title:RHSA-2020:0134url:https://access.redhat.com/errata/RHSA-2020:0134

Trust: 0.8

title:CVE-2020-0602 | ASP.NET Core Denial of Service Vulnerabilityurl:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0602

Trust: 0.8

title:CVE-2020-0602 | ASP.NET Core のサービス拒否の脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2020-0602

Trust: 0.8

title:Patch for Microsoft ASP.NET Core Denial of Service Vulnerability (CNVD-2020-16652)url:https://www.cnvd.org.cn/patchInfo/show/208311

Trust: 0.6

title:Microsoft ASP.NET Core Remediation of resource management error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108469

Trust: 0.6

sources: CNVD: CNVD-2020-16652 // JVNDB: JVNDB-2020-001114 // CNNVD: CNNVD-202001-471

EXTERNAL IDS

db:NVDid:CVE-2020-0602

Trust: 3.2

db:JVNDBid:JVNDB-2020-001114

Trust: 0.8

db:PACKETSTORMid:155981

Trust: 0.7

db:CNVDid:CNVD-2020-16652

Trust: 0.6

db:AUSCERTid:ESB-2020.0186

Trust: 0.6

db:CNNVDid:CNNVD-202001-471

Trust: 0.6

db:PACKETSTORMid:155977

Trust: 0.1

sources: CNVD: CNVD-2020-16652 // JVNDB: JVNDB-2020-001114 // PACKETSTORM: 155977 // PACKETSTORM: 155981 // CNNVD: CNNVD-202001-471 // NVD: CVE-2020-0602

REFERENCES

url:https://access.redhat.com/errata/rhsa-2020:0130

Trust: 2.3

url:https://access.redhat.com/errata/rhsa-2020:0134

Trust: 2.3

url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2020-0602

Trust: 2.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-0602

Trust: 1.6

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-0602

Trust: 0.8

url:https://www.ipa.go.jp/security/ciadr/vul/20200115-ms.html

Trust: 0.8

url:https://www.jpcert.or.jp/at/2020/at200001.html

Trust: 0.8

url:https://access.redhat.com/security/cve/cve-2020-0602

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.0186/

Trust: 0.6

url:https://packetstormsecurity.com/files/155981/red-hat-security-advisory-2020-0134-01.html

Trust: 0.6

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-0603

Trust: 0.2

url:https://bugzilla.redhat.com/):

Trust: 0.2

url:https://access.redhat.com/security/team/key/

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#critical

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://access.redhat.com/security/team/contact/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-0603

Trust: 0.2

sources: CNVD: CNVD-2020-16652 // JVNDB: JVNDB-2020-001114 // PACKETSTORM: 155977 // PACKETSTORM: 155981 // CNNVD: CNNVD-202001-471 // NVD: CVE-2020-0602

CREDITS

Red Hat

Trust: 0.8

sources: PACKETSTORM: 155977 // PACKETSTORM: 155981 // CNNVD: CNNVD-202001-471

SOURCES

db:CNVDid:CNVD-2020-16652
db:JVNDBid:JVNDB-2020-001114
db:PACKETSTORMid:155977
db:PACKETSTORMid:155981
db:CNNVDid:CNNVD-202001-471
db:NVDid:CVE-2020-0602

LAST UPDATE DATE

2024-08-14T14:32:24.385000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-16652date:2020-03-11T00:00:00
db:JVNDBid:JVNDB-2020-001114date:2020-01-28T00:00:00
db:CNNVDid:CNNVD-202001-471date:2020-01-19T00:00:00
db:NVDid:CVE-2020-0602date:2021-07-21T11:39:23.747

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-16652date:2020-03-10T00:00:00
db:JVNDBid:JVNDB-2020-001114date:2020-01-28T00:00:00
db:PACKETSTORMid:155977date:2020-01-16T16:43:31
db:PACKETSTORMid:155981date:2020-01-16T16:45:15
db:CNNVDid:CNNVD-202001-471date:2020-01-14T00:00:00
db:NVDid:CVE-2020-0602date:2020-01-14T23:15:30.287