Does Telerik UI for Blazor still have an issue with CVE-2020-1147 Remote Code Execution?

1 Answer 336 Views
Security
Edward
Top achievements
Rank 1
Edward asked on 17 Jan 2024, 08:55 PM | edited on 18 Jan 2024, 04:53 PM

Can you confirm that Telerik UI for Blazor (3.7.0 Published Wednesday, November 9, 2022) is not using Microsoft System.Data.Common in such a way that it would expose the following risk to our system. Either way, can you confirm that upgrading to Telerik UI for Blazor V 5 would mitigate this? Thanks.

"CVE-2020-1147 is a remote code execution vulnerability that exists in .NET Framework, Microsoft SharePoint, and Visual StudioThis vulnerability can be exploited when the software fails to check the source markup of XML file inputAn attacker who successfully exploits this vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.

In the context of Telerik, it’s important to note that the Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploitThis vulnerability was exploited by multiple cyber threat actors, including an advanced persistent threat (APT) actor, in a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik UI for ASP.NET AJAX, located in a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server."

Edward
Top achievements
Rank 1
commented on 18 Jan 2024, 04:55 PM

Does anyone have any knowledge of this? Just looking to confirm. Thanks!

1 Answer, 1 is accepted

Sort by
0
Dimo
Telerik team
answered on 19 Jan 2024, 09:00 AM

Hello Edward,

The CVE-2020-1147 vulnerability affects old .NET versions only, namely up to .NET Core 3.1:

It's also worth noting that System.Data.Common itself has no vulnerabilities, but the problem comes from its transitive dependencies.

What we have done is to reference newer patched versions of those transitive dependencies in Telerik.UI.for.Blazor 4.1.0 and Telerik.DataSource 2.1.5. In other words, we have overridden the dependency versions of System.Data.Common, so that we don't use vulnerable ones.

The best thing to do (as always) is upgrade to the latest Telerik UI for Blazor version, because it contains all applicable security enhancements, and does not support .NET 3.1. As the next best thing, use Telerik UI for Blazor 4.6.0 in a .NET 6 app (because Telerik UI for Blazor 4.6.0 depends on Telerik.DataSource 2.1.5).

Regards,
Dimo
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Telerik family, check out our getting started resources!
Tags
Security
Asked by
Edward
Top achievements
Rank 1
Answers by
Dimo
Telerik team
Share this question
or