none
Understand impact of Windows Server 2012 security update RRS feed

Answers

  • As per below reference article, only information available, officially from MS, is that it mitigates the denial of service attacks. There is only one line statement which is vary vague and has no technical details. It states “The vulnerability could allow denial of service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website.”

    https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-053?redirectedfrom=MSDN

     

    But unofficially, below is the information that is available. Hope it helps you.

     

    • KB updates system.identitymodel.dll
    • CVE causes Failure to Handle Exceptional Conditions
    • Attacker causes compute resource exhaustion denial of service on ASP.NET webserver by sending maliciously crafted HTTP/HTTPS requests.
    • Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 does not properly use a hash table for request data, which allows remote attackers to cause a denial of service (resource consumption and ASP.NET performance degradation) via crafted requests, aka ".NET Framework Denial of Service Vulnerability."

    Regards,
    Citrix Vdi and Windows Server 2019 Expert





    • Edited by DinuG Tuesday, October 1, 2019 6:20 PM
    • Marked as answer by OneBlueBird Tuesday, November 19, 2019 9:14 AM
    Tuesday, October 1, 2019 6:18 PM

All replies

  • As per below reference article, only information available, officially from MS, is that it mitigates the denial of service attacks. There is only one line statement which is vary vague and has no technical details. It states “The vulnerability could allow denial of service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website.”

    https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-053?redirectedfrom=MSDN

     

    But unofficially, below is the information that is available. Hope it helps you.

     

    • KB updates system.identitymodel.dll
    • CVE causes Failure to Handle Exceptional Conditions
    • Attacker causes compute resource exhaustion denial of service on ASP.NET webserver by sending maliciously crafted HTTP/HTTPS requests.
    • Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 does not properly use a hash table for request data, which allows remote attackers to cause a denial of service (resource consumption and ASP.NET performance degradation) via crafted requests, aka ".NET Framework Denial of Service Vulnerability."

    Regards,
    Citrix Vdi and Windows Server 2019 Expert





    • Edited by DinuG Tuesday, October 1, 2019 6:20 PM
    • Marked as answer by OneBlueBird Tuesday, November 19, 2019 9:14 AM
    Tuesday, October 1, 2019 6:18 PM
  • Hi Dinu,

    Thanks for educating me on this. I am wondering how Customers' learn impact of applying these patches? How do they take educated call.

    I am sure there should be a methodology to verify and validate impacts of these patches against .NET applications running. Assume a case a Customer who have hundreds of applications running on Windows Server(say 2012). Do they have time to test all of these applications and learn impacts?

    Any one here to help me?

    Thank you
    Saravanakumar

    Tuesday, November 19, 2019 9:20 AM