CVE-2022-21986 – CVE-2022-21986 is a denial of service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-21986?

CVE-2022-21986 has a CVSS score of 7.5 (HIGH). CVE-2022-21986 is a denial of service vulnerability in .NET Core and .NET 5/6 that allows attackers to crash applications by sending specially crafted requests. This affects web applications and services built with affected .NET versions. The vulnerability can be exploited remotely without authentication.

📋 TL;DR

CVE-2022-21986 is a denial of service vulnerability in .NET Core and .NET 5/6 that allows attackers to crash applications by sending specially crafted requests. This affects web applications and services built with affected .NET versions. The vulnerability can be exploited remotely without authentication.

💻 Affected Systems

Products:

.NET Core
.NET 5
.NET 6

Versions: .NET Core 3.1, .NET 5.0, .NET 6.0 (specific versions listed in Microsoft advisory)

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Applications using affected .NET runtime versions are vulnerable regardless of specific application code.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application/service outage leading to business disruption, data loss, and potential cascading failures in dependent systems.

🟠

Likely Case

Service disruption causing downtime, degraded performance, and potential loss of availability for web applications.

🟢

If Mitigated

Minimal impact with proper network segmentation, rate limiting, and updated systems.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing applications particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Microsoft has confirmed the vulnerability is remotely exploitable without authentication. Proof-of-concept code has been published.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: .NET 6.0.2, .NET 5.0.14, .NET Core 3.1.22

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21986

Restart Required: Yes

Instructions:

1. Identify affected .NET installations. 2. Download and install the appropriate security update from Microsoft. 3. Restart affected applications/services. 4. Redeploy applications with updated runtime if using self-contained deployments.

🔧 Temporary Workarounds

Rate Limiting

all

Implement request rate limiting to reduce impact of DoS attempts

Web Application Firewall Rules

all

Configure WAF to block suspicious patterns that might trigger the vulnerability

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Deploy additional monitoring and alerting for application crashes

🔍 How to Verify

Check if Vulnerable:

Check .NET runtime version using 'dotnet --info' or examine application runtime version

Check Version:

dotnet --info | findstr Version

Verify Fix Applied:

Verify installed .NET version is 6.0.2, 5.0.14, or 3.1.22 or later

📡 Detection & Monitoring

Log Indicators:

Application crashes with .NET runtime errors
Unusual spike in failed requests
Process termination events

Network Indicators:

Spike in incoming requests to .NET applications
Unusual traffic patterns from single sources

SIEM Query:

source="*.log" ("crash" OR "terminated" OR "unhandled exception") AND ("dotnet" OR ".NET" OR "coreclr")

📊 Metadata

CVE ID: CVE-2022-21986

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: February 9, 2022

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON