.NET December 2021 Updates – 6.0.1, 5.0.13 and 3.1.22
Today, we are releasing the .NET December 2021 Updates. These updates contain reliability and security improvements. See the individual release notes for details on updated packages.
- Installers and binaries: 6.0.1 | 5.0.13 | 3.1.22
- Release notes: 6.0.1 | 5.0.13 | 3.1.22
- Container images
- Linux packages: 6.0.1 | 5.0.13 | 3.1.22
- Release feedback/issue
- Known issues: 6.0 | 5.0 | 3.1
- ASP.NET Core: 6.0.1 | 5.0.13 | 3.1.22
- EF Core: 6.0.1
- Runtime: 6.0.1 | 5.0.13
- Winforms: 6.0.1 | 5.0.13
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET and .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
An elevation of privilege vulnerability exists in ASP.NET Core Module (ANCM) that could allow elevation of privilege when .NET Core, .NET 5 and .NET 6 applications are hosted within IIS.
Customers that have opted to receive .NET Core updates via the Microsoft Update channel will be offered updates to the Hosting Bundle starting with the December 2021 update. Updates for other .NET Core bundles (.NET Core Runtime, ASP.NET Core Runtime, Windows Desktop Runtime, and SDK) have been offered via Microsoft Update to customers that opt in since December 2020. See this blog post for more information.
There have been limited reports of a failure to install the .NET 6.0.1 update via Microsoft Update, the update fails with an error code 0x80070643.
.NET 6.0 can be updated to 6.0.1 via MU and .NET 6.0.1 is also included in the Visual Studio 17.0.3 update. Both options carry the .NET Core Runtime and ASP.NET Core runtime version 6.0.1 and the .NET 6 SDK version 6.0.101. When these are installed, applications will by default roll forward to using the latest runtime patch version automatically. See [framework dependent app runtime roll forward](https://docs.microsoft.com/en-us/dotnet/core/versions/selection#framework-dependent-apps-roll-forward) for more information about this behavior.
Therefore, installing either the 6.0.1 update via MU or the VS 17.0.3 update will secure the machine for the vulnerability described in [CVE-2021-43877](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43877).