.NET Framework January 2024 Security and Quality Rollup
[Revised 01/24/2024] To add missing product versions of Windows Server 2012 and Windows Server 2012 R2.
[Revised 01/16/2024] To fix the typo and link for CVE.
Today, we are releasing the January 2024 Security and Quality Rollup Updates for .NET Framework.
Security
CVE-2023-36042 – .NET Framework Denial of Service Vulnerability
This security update addresses a security feature bypass vulnerability detailed in CVE 2023-36042.
CVE-2024-0056 – .NET Framework Security Feature Bypass Vulnerability
This security update addresses a security feature bypass vulnerability detailed in CVE 2024-0056.
CVE-2024-0057 – .NET Framework Security Feature Vulnerability
This security update addresses an elevation of privilege vulnerability detailed in CVE 2024-0057.
CVE-2024-21312 – .NET Framework Denial of Service Vulnerability
This security update addresses a denial of service vulnerability detailed in CVE 2024-21312.
.NET Framework Remote Code Execution Vulnerability
This security update addresses a remote code execution vulnerability to HTTP .NET remoting server channel chain.
Quality and Reliability
There are no new Quality and Reliability Improvements in this update.
Getting the Update
The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, and Microsoft Update Catalog. The Security Only Update is available via Windows Server Update Services and Microsoft Update Catalog.
Microsoft Update Catalog
You can get the update via the Microsoft Update Catalog. For Windows 10, NET Framework 4.8 updates are available via Windows Update, Windows Server Update Services, Microsoft Update Catalog. Updates for other versions of .NET Framework are part of the Windows 10 Monthly Cumulative Update.
**Note**: Customers that rely on Windows Update and Windows Server Update Services will automatically receive the .NET Framework version-specific updates. Advanced system administrators can also take use of the below direct Microsoft Update Catalog download links to .NET Framework-specific updates. Before applying these updates, please ensure that you carefully review the .NET Framework version applicability, to ensure that you only install updates on systems where they apply.
The following table is for Windows 10 and Windows Server 2016+ versions.
| Product Version | Cumulative Update | |
|---|---|---|
| Microsoft server operating system, version 23H2 | ||
| .NET Framework 3.5, 4.8.1 | Catalog | 5033917 |
| Windows 11, version 22H2 and Windows 11, version 23H2 | ||
| .NET Framework 3.5, 4.8.1 | Catalog | 5033920 |
| Windows 11, version 21H2 | 5034276 | |
| .NET Framework 3.5, 4.8 | Catalog | 5033912 |
| .NET Framework 3.5, 4.8.1 | Catalog | 5033919 |
| Microsoft server operating system, version 22H2 | 5034272 | |
| .NET Framework 3.5, 4.8 | Catalog | 5033914 |
| .NET Framework 3.5, 4.8.1 | Catalog | 5033922 |
| Microsoft server operating system version 21H2 | 5034272 | |
| .NET Framework 3.5, 4.8 | Catalog | 5033914 |
| .NET Framework 3.5, 4.8.1 | Catalog | 5033922 |
| Windows 10, version 22H2 | 5034275 | |
| .NET Framework 3.5, 4.8 | Catalog | 5033909 |
| .NET Framework 3.5, 4.8.1 | Catalog | 5033918 |
| Windows 10, version 21H2 | 5034274 | |
| .NET Framework 3.5, 4.8 | Catalog | 5033909 |
| .NET Framework 3.5, 4.8.1 | Catalog | 5033918 |
| Windows 10 1809 and Windows Server 2019 | 5034273 | |
| .NET Framework 3.5, 4.7.2 | Catalog | 5033904 |
| .NET Framework 3.5, 4.8 | Catalog | 5033911 |
| Windows 10 1607 and Windows Server 2016 | ||
| .NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5034119 |
| .NET Framework 4.8 | Catalog | 5033910 |
| Windows 10 1507 | ||
| .NET Framework 3.5, 4.6, 4.6.2 | Catalog | 5034134 |
The following table is for earlier Windows and Windows Server versions.
| Product Version | Security and Quality Rollup | Security Only Update | ||
|---|---|---|---|---|
| Windows Server 2012 R2 | 5034279 | |||
| .NET Framework 3.5 | Catalog | 5033900 | ||
| .NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5033906 | ||
| .NET Framework 4.8 | Catalog | 5033915 | ||
| Windows Server 2012 | 5034278 | |||
| .NET Framework 3.5 | Catalog | 5033897 | ||
| .NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5033905 | ||
| .NET Framework 4.8 | Catalog | 5033913 | ||
| Windows Server 2008 | 5034280 | 5034270 | ||
| .NET Framework 2.0, 3.0 | Catalog | 5033898 | Catalog | 5033945 |
| .NET Framework 3.5 | Catalog | 5034008 | Catalog | 5033952 |
| .NET Framework 4.6.2 | Catalog | 5033907 | Catalog | 5033947 |
| Windows Server 2008 R2 | 5034277 | 5034269 | ||
| .NET Framework 3.5.1 | Catalog | 5033899 | Catalog | 5033946 |
| .NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5033907 | Catalog | 5033947 |
| .NET Framework 4.8 | Catalog | 5033916 | Catalog | 5033948 |
The operating system row lists a KB which will be used for update offering purposes. When the operating system KB is offered, the applicability logic will determine the specific .NET Framework update(s) will be installed. Updates for individual .NET Framework versions will be installed based on the version of .NET Framework that is already present on the device. Because of this the operating system KB is not expected to be listed as installed updates on the device. The expected update to be installed are the .NET Framework specific version updates listed in the table above.
Previous Monthly Rollups
The last few .NET Framework Monthly updates are listed below for your convenience:
- .NET Framework October 2023 Cumulative Update Preview
- .NET Framework October 2023 Security and Quality Rollup Updates
- .NET Framework September 2023 Cumulative Update Preview
- .NET Framework August 2023 Cumulative Update Preview
Light
Dark
7 comments
Some CVE numbers are listed as 2023-*, shouldn’t they be 2024-*?
Hi Mayuki,
Thanks for reporting this. I have fixed these.
Hi Salini,
Texts are fixed but not the link.
Should be https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-0057 instead of https://msrc.microsoft.com/update-guide/en-US/advisory/CVE2024-0057
Thanks
Yes, Thank you Vishwanand!
Missing updates for 2K12/R2 such as KB5033900 and KB5033915
Hi Xuhua,
Thanks for reporting this issue. I have updated the blog post to include the missing operating systems.
.NET 4.7 and below version will get their security with Security cumulative update MS launch each patch Tuesday.
Vulnerability reported by Microsoft defender in the month of Feb’24 for .NetFramework v4.7 was remediated after installing security cumulative update KB5034767.
Point of further discussion here is… how security cumulative update KB5034767 is resolving vulnerability reported for for .NetFramework v4.7?? How they are interlinked?? What piece of information it is updating that is resolving .NetFramework vulnerability.?
Please reply to this question and it’s very urgent.