May 14th, 2019

.NET Framework May 2019 Security and Quality Rollup

Tara Overfield
Senior Software Engineer

Today, we are releasing the May 2019 Cumulative Update, Security and Quality Rollup, and Security Only Update.

Security

CVE-2019-0820 – Denial of Service Vulnerability

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Framework (or .NET core) application. The update addresses the vulnerability by correcting how .NET Framework and .NET Core applications handle RegEx string processing.

CVE-2019-0820

CVE-2019-0980 – Denial of Service Vulnerability

A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Framework or .NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework or .NET Core application. The update addresses the vulnerability by correcting how .NET Framework or .NET Core web applications handles web requests.

CVE-2019-0980

CVE-2019-0981 – Denial of Service Vulnerability

A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Framework or .NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework or .NET Core application. The update addresses the vulnerability by correcting how .NET Framework or .NET Core web applications handles web requests.

CVE-2019-0981

CVE-2019-0864 – Denial of Service Vulnerability

A denial of service vulnerability exists when .NET Framework improperly handles objects in heap memory. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how .NET Framework handle objects in heap memory.

CVE-2019-0864

Getting the Update

The Cumulative Update and Security and Quality Rollup are available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.  The Security Only Update is available via Windows Server Update Services and Microsoft Update Catalog.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, NET Framework 4.8 updates are available via Windows Update, Windows Server Update Services, Microsoft Update Catalog.  Updates for other versions of .NET Framework are part of the Windows 10 Monthly Cumulative Update.

The following table is for Windows 10 and Windows Server 2016+ versions.

Product Version Cumulative Update
Windows 10 1903 (May 2019 Update) 4502507
.NET Framework 3.5, 4.8 Catalog 4495620
Windows 10 1809 (October 2018 Update) Windows Server 2019 4466961
.NET Framework 3.5, 4.7.2 Catalog 4495590
.NET Framework 3.5, 4.8 Catalog 4495618
Windows 10 1803 (April 2018 Update) 4498144
.NET Framework 3.5, 4.7.2 Catalog 4499167
.NET Framework 4.8 Catalog 4495616
Windows 10 1709 (Fall Creators Update) 4498143
.NET Framework 3.5, 4.7.1, 4.7.2 Catalog 4499179
.NET Framework 4.8 Catalog 4495613
Windows 10 1703 (Creators Update) 4498142
.NET Framework 3.5, 4.7, 4.7.1, 4.7.2 Catalog 4499181
.NET Framework 4.8 Catalog 4495611
Windows 10 1607 (Anniversary Update) Windows Server 2016 4498141
.NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 4494440
.NET Framework 4.8 Catalog 4495610
Windows 10 1507 4499154
.NET Framework 3.5, 4.6, 4.6.1, 4.6.2 Catalog 4499154

 

The following table is for earlier Windows and Windows Server versions.

Product Version Security and Quality Rollup Security Only Update
Windows 8.1 Windows RT 8.1 Windows Server 2012 R2 Catalog 4499408 Catalog 4498963
.NET Framework 3.5 Catalog 4495608 Catalog 4495615
.NET Framework 4.5.2 Catalog 4495592 Catalog 4495589
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 4495585 Catalog 4495586
.NET Framework 4.8 Catalog 4495624 Catalog 4495625
Windows Server 2012 Catalog 4499407 Catalog 4498962
.NET Framework 3.5 Catalog 4480061 Catalog 4495607
.NET Framework 4.5.2 Catalog 4495594 Catalog 4495591
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 4495582 Catalog 4495584
.NET Framework 4.8 Catalog 4495622 Catalog 4495623
Windows 7 SP1 Windows Server 2008 R2 SP1 Catalog 4499406 Catalog 4498961
.NET Framework 3.5.1 Catalog 4495606 Catalog 4495612
.NET Framework 4.5.2 Catalog 4495596 Catalog 4495593
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 4495588 Catalog 4495587
.NET Framework 4.8 Catalog 4495627 Catalog 4495627
Windows Server 2008 Catalog 4499409 Catalog 4498964
.NET Framework 2.0, 3.0 Catalog 4495604 Catalog 4495609
.NET Framework 4.5.2 Catalog 4495596 Catalog 4495593
.NET Framework 4.6 Catalog 4495588 Catalog 4495587

Docker Images

We are updating the following .NET Framework Docker images for today’s release:

Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Note: Significant changes have been made with Docker images recently. Please look at .NET Docker Announcements for more information.

Previous Monthly Rollups

The last few .NET Framework Monthly updates are listed below for your convenience:

Author

Tara Overfield
Senior Software Engineer

Tara is a Software Engineer on the .NET team. She works on releasing .NET Framework updates.

3 comments

Discussion is closed. Login to edit/delete existing comments.

  • Akash Sarkar

    Hello

  • Dexter Woo

    Any Plan for native ARM64 support on .NET framework?

    • Brett LopezMicrosoft employee

      Hi Dexter,
      The .NET Framework does not natively support ARM64 and there are no plans to add this support.  Our recommendation is to consider moving up to .NET Core if you need ARM64 support (see this and this post for some exciting new stuff coming to .NET Core). That said, on an ARM64 Windows operating system a .NET app will be using the x86 version of .NET running under emulation.
      HTH!

      Read more