Details of VAR-202106-1709

ID

VAR-202106-1709

CVE

CVE-2021-31957

TITLE

.NET and Microsoft Visual Studio Denial of service in Japan (DoS) Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-001972

DESCRIPTION

ASP.NET Core Denial of Service Vulnerability. .NET and Microsoft Visual Studio Has ASP.NET Service operation is interrupted due to a defect in (DoS) A vulnerability exists.Denial of service (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: .NET Core 3.1 on RHEL 7 security and bugfix update Advisory ID: RHSA-2021:2350-01 Product: .NET Core on Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2350 Issue date: 2021-06-08 CVE Names: CVE-2021-31957 ==================================================================== 1. Summary: An update for rh-dotnet31-dotnet is now available for .NET Core on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 3.1.116 and .NET Runtime 3.1.16. Security Fix(es): * dotnet: ASP.NET Core Client Disconnect Denial of Service (CVE-2021-31957) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnet31-dotnet-3.1.116-1.el7_9.src.rpm x86_64: rh-dotnet31-aspnetcore-runtime-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-apphost-pack-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-debuginfo-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-host-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-hostfxr-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-runtime-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-targeting-pack-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-templates-3.1-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-netstandard-targeting-pack-2.1-3.1.116-1.el7_9.x86_64.rpm .NET Core on Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnet31-dotnet-3.1.116-1.el7_9.src.rpm x86_64: rh-dotnet31-aspnetcore-runtime-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-apphost-pack-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-debuginfo-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-host-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-hostfxr-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-runtime-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-targeting-pack-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-templates-3.1-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-netstandard-targeting-pack-2.1-3.1.116-1.el7_9.x86_64.rpm .NET Core on Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnet31-dotnet-3.1.116-1.el7_9.src.rpm x86_64: rh-dotnet31-aspnetcore-runtime-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-apphost-pack-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-debuginfo-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-host-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-hostfxr-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-runtime-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-targeting-pack-3.1-3.1.16-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-templates-3.1-3.1.116-1.el7_9.x86_64.rpm rh-dotnet31-netstandard-targeting-pack-2.1-3.1.116-1.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-31957 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMAbx9zjgjWX9erEAQg0iA//ZMTDOkp9jyDMxC6VRisGHkU6yxWPFIEs 5xelU+7Pusp7mmYsFM9+c8dn7sWiRuuX7S9q+DhOTemcSmjfE8TCg2PIwDwJ4v4i AsPzx+x93ug0Jy6VWSJo/992tsdv+m809rQnqMItQy4BB7YrYaqsCtrsGxZHOP90 1LOyaiRSm7pg2OjUzvTg+k5WX4XCOvzRELiB2ErGpryR6CgU6zbCURf4fnczj2/d rNtbxXmsDSbmTUC0qt+7uKJHzoxKXUYAHDF+wyiJXSAe2eV29nINbPa9R8vx0koE BF2xcgVYd9MNPal3tsZ15jm6+hvk0tVMM+gPhAWQQczXl0aFMaWBSAmXPPJ/ZFXE +mdMXNKzuxaxK+9JsBcLS7gsTSOBfzq1Sm7oQRKGmQIPqSMdQZucs3C86sASXLGD ixQs99clPBeCFwUjvwIuHPkWQFHsxsM0LQJlGb6PHQJbVmRSc2PDgdu2BVjHJWSl c7VxLpXHwd7uiS/zw5KTpbcXpxzCAFwD2g9mZXvgRwv8xB/yMI1uim/mbdotTs5j C+Z8s0E1ggb6X9PkgFGMMwKIfZee3TiqbQevNjvZwqi3XbVEM4W2bDLLo0+I4Ly2 /1qPQc3r4ximd5loy9q3O/4kdkluuFsmznTg68Z0V1PCbhZ+JGpDi3ivdHV86LKa Y+qTXDnEhw8=kKm2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.52

sources: NVD: CVE-2021-31957 // JVNDB: JVNDB-2021-001972 // CNNVD: CNNVD-202104-975 // PACKETSTORM: 163033 // PACKETSTORM: 163035 // PACKETSTORM: 163039 // PACKETSTORM: 163041

AFFECTED PRODUCTS

vendor:	fedoraproject	model:	fedora	scope:	eq	version:	34	Trust: 1.0
vendor:	microsoft	model:	visual studio 2019	scope:	eq	version:	8.10	Trust: 1.0
vendor:	microsoft	model:	visual studio 2019	scope:	gte	version:	16.0	Trust: 1.0
vendor:	microsoft	model:	visual studio 2019	scope:	lte	version:	16.10	Trust: 1.0
vendor:	microsoft	model:	.net core	scope:	lte	version:	3.1.15	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	33	Trust: 1.0
vendor:	microsoft	model:	.net	scope:	gte	version:	5.0	Trust: 1.0
vendor:	microsoft	model:	.net	scope:	lte	version:	5.0.6	Trust: 1.0
vendor:	microsoft	model:	.net core	scope:	gte	version:	3.1	Trust: 1.0
vendor:	マイクロソフト	model:	.net	scope:	-	version:	-	Trust: 0.8
vendor:	マイクロソフト	model:	microsoft visual studio	scope:	-	version:	-	Trust: 0.8
vendor:	fedora	model:	fedora	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-001972 // NVD: CVE-2021-31957

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-31957
value:	HIGH
Trust: 1.0
secure@microsoft.com:	CVE-2021-31957
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-31957
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202106-495
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-31957
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2021-31957
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
secure@microsoft.com:	CVE-2021-31957
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-31957
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2021-001972 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-495 // NVD: CVE-2021-31957 // NVD: CVE-2021-31957

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-001972 // NVD: CVE-2021-31957

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-495

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	ASP.NET Denial of Service Vulnerability Security Update Guide	url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4PRVVLXXQEF4SEJOBV3VRJHGX7YHY2CG/	Trust: 0.8
title:	Visual Studio Enter the fix for the verification error vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=155429	Trust: 0.6

sources: JVNDB: JVNDB-2021-001972 // CNNVD: CNNVD-202106-495

EXTERNAL IDS

db:	NVD	id:	CVE-2021-31957	Trust: 2.8
db:	JVNDB	id:	JVNDB-2021-001972	Trust: 0.8
db:	PACKETSTORM	id:	163033	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021061519	Trust: 0.6
db:	CS-HELP	id:	SB2021060808	Trust: 0.6
db:	CS-HELP	id:	SB2021060930	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2038	Trust: 0.6
db:	CNNVD	id:	CNNVD-202106-495	Trust: 0.6
db:	PACKETSTORM	id:	163035	Trust: 0.1
db:	PACKETSTORM	id:	163039	Trust: 0.1
db:	PACKETSTORM	id:	163041	Trust: 0.1

sources: JVNDB: JVNDB-2021-001972 // PACKETSTORM: 163033 // PACKETSTORM: 163035 // PACKETSTORM: 163039 // PACKETSTORM: 163041 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-495 // NVD: CVE-2021-31957

REFERENCES

url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2021-31957	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31957	Trust: 1.2
url:	https://access.redhat.com/security/cve/cve-2021-31957	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4prvvlxxqef4sejobv3vrjhgx7yhy2cg/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/cvcdyip4a6ddrt7g6p3zw6pknk2dnwj2/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/pmhwhrrydhkm6biinw5v7ocsw4sdwb4w/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/vmao4ng2oq4pcxuqwmnscmywlijjy6uy/	Trust: 1.0
url:	https://www.ipa.go.jp/security/ciadr/vul/20210609-ms.html	Trust: 0.8
url:	https://www.jpcert.or.jp/at/2021/at210027.html	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/cvcdyip4a6ddrt7g6p3zw6pknk2dnwj2/	Trust: 0.6
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/pmhwhrrydhkm6biinw5v7ocsw4sdwb4w/	Trust: 0.6
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/vmao4ng2oq4pcxuqwmnscmywlijjy6uy/	Trust: 0.6
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4prvvlxxqef4sejobv3vrjhgx7yhy2cg/	Trust: 0.6
url:	https://packetstormsecurity.com/files/163033/red-hat-security-advisory-2021-2352-01.html	Trust: 0.6
url:	https://msrc.microsoft.com/update-guide/vulnerability/cve-2021-31957	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2038	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021060930	Trust: 0.6
url:	https://vigilance.fr/vulnerability/microsoft-visual-studio-vulnerabilities-of-june-2021-35661	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021061519	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021060808	Trust: 0.6
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.4
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.4
url:	https://access.redhat.com/articles/11258	Trust: 0.4
url:	https://access.redhat.com/security/team/key/	Trust: 0.4
url:	https://bugzilla.redhat.com/):	Trust: 0.4
url:	https://access.redhat.com/security/team/contact/	Trust: 0.4
url:	https://access.redhat.com/errata/rhsa-2021:2352	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2353	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2350	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:2351	Trust: 0.1

CREDITS

Red Hat

Trust: 0.4

sources: PACKETSTORM: 163033 // PACKETSTORM: 163035 // PACKETSTORM: 163039 // PACKETSTORM: 163041

SOURCES

db:	JVNDB	id:	JVNDB-2021-001972
db:	PACKETSTORM	id:	163033
db:	PACKETSTORM	id:	163035
db:	PACKETSTORM	id:	163039
db:	PACKETSTORM	id:	163041
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202106-495
db:	NVD	id:	CVE-2021-31957

LAST UPDATE DATE

2024-08-14T12:28:35.463000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2021-001972	date:	2021-07-06T07:22:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202106-495	date:	2021-06-29T00:00:00
db:	NVD	id:	CVE-2021-31957	date:	2024-05-29T15:15:43.553

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2021-001972	date:	2021-07-06T00:00:00
db:	PACKETSTORM	id:	163033	date:	2021-06-09T13:27:08
db:	PACKETSTORM	id:	163035	date:	2021-06-09T13:27:47
db:	PACKETSTORM	id:	163039	date:	2021-06-09T13:40:11
db:	PACKETSTORM	id:	163041	date:	2021-06-09T13:40:25
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202106-495	date:	2021-06-08T00:00:00
db:	NVD	id:	CVE-2021-31957	date:	2021-06-08T23:15:08.870