Revised 12/19/23: To add missing product versions of Windows Server 2012 and Windows Server 2012 R2.
Revised 11/15/23: To remove CVE details which were not affected by the .NET Framework November Security and Quality rollup.
Today, we are releasing the November 2023 Security and Quality Rollup updates for .NET Framework.
Security
CVE-2023-36560 – .NET Framework Security Feature Bypass Vulnerability
This security update addresses a security feature bypass vulnerability detailed in CVE 2023-36560.
CVE-2023-36049 – .NET Framework Elevation of Privilege Vulnerability
This security update addresses a elevation of privilege vulnerability detailed in CVE 2023-36049.
Quality and Reliability
This release contains the following quality and reliability improvements.
WPF1
- Addresses an issue to provide an appconfig mechanism to allow users to extend the list of allowed types in case of XAML/XPS parsing. (applies to: .NET Framework 4.8.1)
1 Windows Presentation Foundation (WPF)
Getting the Update
The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, and Microsoft Update Catalog. The Security Only Update is available via Windows Server Update Services and Microsoft Update Catalog.
Microsoft Update Catalog
You can get the update via the Microsoft Update Catalog. For Windows 10, NET Framework 4.8 updates are available via Windows Update, Windows Server Update Services, Microsoft Update Catalog. Updates for other versions of .NET Framework are part of the Windows 10 Monthly Cumulative Update.
**Note**: Customers that rely on Windows Update and Windows Server Update Services will automatically receive the .NET Framework version-specific updates. Advanced system administrators can also take use of the below direct Microsoft Update Catalog download links to .NET Framework-specific updates. Before applying these updates, please ensure that you carefully review the .NET Framework version applicability, to ensure that you only install updates on systems where they apply.
The following table is for Windows 10+ and Windows Server 2016+ versions.
| Product Version | Cumulative Update | |
|---|---|---|
| Microsoft server operating system, version 23H2 | ||
| .NET Framework 3.5, 4.8.1 | Catalog | 5032004 |
| Windows 11, version 22H2 and Windows 11, version 23H2 | ||
| .NET Framework 3.5, 4.8.1 | Catalog | 5032007 |
| Windows 11, version 21H2 | 5032340 | |
| .NET Framework 3.5, 4.8 | Catalog | 5031991 |
| .NET Framework 3.5, 4.8.1 | Catalog | 5032006 |
| Microsoft server operating system, version 22H2 | 5032478 | |
| .NET Framework 3.5, 4.8 | Catalog | 5031993 |
| .NET Framework 3.5, 4.8.1 | Catalog | 5032008 |
| Microsoft server operating system version 21H2 | 5032336 | |
| .NET Framework 3.5, 4.8 | Catalog | 5031993 |
| .NET Framework 3.5, 4.8.1 | Catalog | 5032008 |
| Windows 10, version 22H2 | 5032339 | |
| .NET Framework 3.5, 4.8 | Catalog | 5031988 |
| .NET Framework 3.5, 4.8.1 | Catalog | 5032005 |
| Windows 10, version 21H2 | 5032338 | |
| .NET Framework 3.5, 4.8 | Catalog | 5031988 |
| .NET Framework 3.5, 4.8.1 | Catalog | 5032005 |
| Windows 10, version 1809 and Windows Server 2019 | 5032337 | |
| .NET Framework 3.5, 4.7.2 | Catalog | 5031984 |
| .NET Framework 3.5, 4.8 | Catalog | 5031990 |
| .NET Framework 3.5, 4.8 | Catalog | 5018210 |
| Windows 10, version 1607 and Windows Server 2016 | ||
| .NET Framework 3.5, 3.5 + 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5032197 |
| .NET Framework 4.8 | Catalog | 5031989 |
| Windows 10, version 1507 | ||
| .NET Framework 3.5, 3.5 + 4.6, 4.6.2 | Catalog | 5032199 |
The following table is for earlier Windows and Windows Server versions.
| Product Version | Security and Quality Rollup | Security Only Update | ||
|---|---|---|---|---|
| Windows Server 2012 R2 | 5032343 | |||
| .NET Framework 3.5 | Catalog | 5032001 | ||
| .NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5031986 | ||
| .NET Framework 4.8 | Catalog | 5031994 | ||
| Windows Server 2012 | 5032342 | |||
| .NET Framework 3.5 | Catalog | 5031998 | ||
| .NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5031985 | ||
| .NET Framework 4.8 | Catalog | 5031992 | ||
| Windows Server 2008 R2 | 5032341 | 5032185 | ||
| .NET Framework 3.5.1 | Catalog | 5032000 | Catalog | 5032012 |
| .NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5031987 | Catalog | 5032009 |
| .NET Framework 4.8 | Catalog | 5031995 | Catalog | 5032010 |
| Windows Server 2008 | 5032344 | 5032186 | ||
| .NET Framework 2.0, 3.0 | Catalog | 5031999 | Catalog | 5032011 |
| .NET Framework 4.6.2 | Catalog | 5031987 | Catalog | 5032009 |
The operating system row lists a KB which will be used for update offering purposes. When the operating system KB is offered, the applicability logic will determine the specific .NET Framework update(s) will be installed. Updates for individual .NET Framework versions will be installed based on the version of .NET Framework that is already present on the device. Because of this the operating system KB is not expected to be listed as installed updates on the device. The expected update to be installed are the .NET Framework specific version updates listed in the table above.
Previous Monthly Rollups
The last few .NET Framework Monthly updates are listed below for your convenience:
This seems to be missing some patches for Windows Server 2012 R2: November 14, 2023-Security and Quality Rollup for .NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 R2 (KB5032343) – Microsoft Support
Hi Xuhua,
Thanks for raising this issue. I have updated the blog post to include the missing operating systems.
Why the last table don’t include the updates for Server 2012 / 2012 R2?
and why there were not Security Only Updates for both this month? :hmmm:
Nevermind about the 2012 security only, it was planned to discontinue them
https://techcommunity.microsoft.com/t5/windows-server-news-and-best/windows-server-end-of-support-key-dates/ba-p/3074148
CVE-2023-36038 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36038 does not mention dot net framework, while here you have mentioned dot net framework for the CVE. Even the KB articles for framework are mentioning the CVE, can you tell me which of the details is correct?
CVE-2023-36558 also has a similar issue.
Hi Pooja, Thank you for reporting this issue. We have updated the blog post to correct the CVEs which are listed.
The CVE links are all 404 for me. Is it the space character in the links?
Thank you Qing for reporting this. The links should work now.