Security vulnerabilities with System.Data.SqlClient 4.8.6 #215
Description
linqkit 1.3.8 uses System.Data.SqlClient 4.8.6 which is flagged as containing security vulnerabilities by running a security scan like SonarType.
The Microsoft.Data.SqlClient package is vulnerable to Information Exposure. The methods in the files listed below fail to properly dispose of the timer objects used to execute callbacks for asynchronous queries. Consequently, under load, data yielded by the callbacks may be returned as the result of a mismatching query. A remote attacker can potentially exploit this behavior to obtain access to the results of queries made by other users. The information obtained may be leveraged to perform further attacks against an affected application.
Advisory Deviation Notice:
The Sonatype Security Research team discovered that the fix for this vulnerability in the System.Data.SqlClient package for users of the netstandard1.3 framework was introduced in version v4.9.0 and not v4.8.5 as stated in the advisory.
Vulnerable File(s) and Methods(s):
Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlBulkCopy.cs
CleanUpStateObject()
Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlDataReader.cs
TryCloseInternal()
Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs
TryRun()
Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObject.cs
ResetCancelAndProcessAttention()
TryProcessHeader()
OnTimeout()
ReadSni()
ReadSniError()
Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/SqlBulkCopy.cs
CleanUpStateObject()
Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/SqlDataReader.cs
TryCloseInternal()
Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs
TryRun()
Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsParserStateObject.cs
ResetCancelAndProcessAttention()
TryProcessHeader()
OnTimeout()
ReadSni()
ReadSniError()
Detection
The application is vulnerable by using this component.
Users of System.Data.SqlClient versions 4.8.5 and 4.8.6 are vulnerable only if you are using the netstandard1.3 framework DLLs for either Windows or Unix contained in the package as these remain affected.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
For users of System.Data.SqlClient versions 4.8.5 and 4.8.6, ensure that you are not using the netstandard1.3 framework DLLs for either Windows or Unix contained in the package as these remain affected.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Version Affected
[1.0.0-beta1,4.0.0-beta-22816]
[4.0.0-beta-23109,4.0.0-beta-23225]
[4.1.0-rc2-24027,4.8.6]
Root Cause
System.Data.SqlClient-4.8.6.nupkgruntimes/win/lib/netstandard1.3/System.Data.SqlClient.dll[4.1.0, 4.9.0)
System.Data.SqlClient-4.8.6.nupkgruntimes/unix/lib/netstandard1.3/System.Data.SqlClient.dll[4.1.0-rc2-24027, 4.9.0)