Lucene search

K
mskbMicrosoftKB4566469
HistoryJul 14, 2020 - 7:00 a.m.

Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008 SP2 (KB4566469)

2020-07-1407:00:00
Microsoft
support.microsoft.com
82

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.86 High

EPSS

Percentile

98.5%

Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008 SP2 (KB4566469)

Notice

Revised 6/8/2021 On June 8th, 2021, this update was released to replace a previous update to address a “revocation server was offline” error that may occur during installation. If you’ve already installed a previous release of this update, no action is required. To obtain the latest version of these updates, see the “How to obtain and install the update” section of the individual update article. Links to each article are found in the “Additional information about this update” section of this article. On April 13th, 2021, this update was released to replace a previous release of this update.On October 13th, 2020 we are republishing this update to resolve a known issue that affected the original release. You should install this version (V3) of the update as part of your normal security routine.On July 23, 2020, update KB4565583 v2 and KB4565586 v2 were released to replace v1 of those updates for .NET Framework 4.5.2 and 4.6 for Windows Server 2008 SP2. The v1 updates did not install for customers who had certain ESU configurations. The v2 updates correct the issue for customers who could not install the v1 updates.

**Applies to:**Microsoft .NET Framework 2.0 Microsoft .NET Framework 3.0 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6

IMPORTANTVerify thatyou have installed the required updates listed in the How to get this update section before installing this update.

IMPORTANT WSUS scan cab files will continue to be available for Windows Server 2008 SP2. If you have a subset of devices running this operating system without ESU, they might show as non-compliant in your patch management and compliance toolsets.

IMPORTANT Customers who have purchased the Extended Security Update (ESU) for on-premises versions of this OS must follow the procedures in KB4522133 to continue receiving security updates after extended support ends on January 14, 2020. For more information on ESU and which editions are supported, see KB4497181.

IMPORTANT Starting in August, 2019, updates to .NET Framework 4.6 and above, for Windows Server 2008 SP2 require SHA-2 Code signing support. Please make sure that you have all the latest Windows Updates before applying this update to avoid installation issues. For more detailed information about SHA-2 code signing support updates, please see KB 4474419.

IMPORTANT All updates for .NET Framework 4.7.2, 4.7.1, 4.7, 4.6.2, 4.6.1, and 4.6 require that the d3dcompiler_47.dll update is installed. We recommend that you install the included d3dcompiler_47.dll update before you apply this update. For more information about the d3dcompiler_47.dll, see KB 4019990.

IMPORTANT If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Summary

A remote code execution vulnerability exists in .NET Framework when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content. To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content. The security update addresses the vulnerability by correcting how .NET Framework validates the source markup of XML content. This security update affects how .NET Framework’s System.Data.DataTable and System.Data.DataSet types read XML-serialized data. Most .NET Framework applications will not experience any behavioral change after the update is installed. For more information on how the update affects .NET Framework, including examples of scenarios which may be affected, please see the DataTable and DataSet security guidance document at <https://go.microsoft.com/fwlink/?linkid=2132227&gt;.To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE).

Known issues in some parts of this update

Symptom| After you apply this update, some applications experience aTypeInitializationExceptionexception when they try to deserializeSystem.Data.DataSetorSystem.Data.DataTable instances from the XML within a SQL CLR stored procedure. The stack trace for this exception appears as follows:System.TypeInitializationException: The type initializer for ‘Scope’ threw an exception. —> System.IO.FileNotFoundException: Could not load file or assembly ‘System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a’ or one of its dependencies. The system cannot find the file specified.
at System.Data.TypeLimiter.Scope.IsTypeUnconditionallyAllowed(Type type)
at System.Data.TypeLimiter.Scope.IsAllowedType(Type type)
at System.Data.TypeLimiter.EnsureTypeIsAllowed(Type type, TypeLimiter capturedLimiter)
—|—
Workaround| This issue was corrected by the latest release of the affected parts in this update. Symptom| This update does not install, and it returns either or both of the following error messages:

  • -2146762495
  • A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
  • The revocation function was unable to check revocation because the revocation server was offline.
    Workaround| This issue was corrected by the latest release of the affected parts in this update.If you’ve already installed a previous release of the affected parts, no action is required.

Additional information about this update

The following articles contain additional information about this update as it relates to individual product versions.

  • 4565578 Description of the Security Only Update for .NET Framework 2.0, 3.0 for Windows Server 2008 SP2 (KB4565578)
  • 4565583 Description of the Security Only Update for .NET Framework 4.5.2 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 (KB4565583)
  • 4565586 Description of the Security Only Update for .NET Framework 4.6 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 (KB4565586)

Information about protection and security

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.86 High

EPSS

Percentile

98.5%