Getting Started
Architecture
NServiceBus
Transports
Persistence
ServiceInsight
ServicePulse
ServiceControl
Monitoring
Samples

Security Advisory 2022-12-06

This advisory discloses a security vulnerability that could lead to unauthorized access of privileged information by exploiting a vulnerability in System.Security.Cryptography.Xml 4.7.0. Some earlier versions of NServiceBus had a package dependency on System.Security.Cryptography.Xml with a minimum required version of 4.7.0, and projects referencing those versions of NServiceBus inherited the vulnerability. The vulnerability has been removed in patches for those versions of NServiceBus by changing the minimum required version of System.Security.Cryptography.Xml to 4.7.1.

Projects are affected by this vulnerability if both of the following are true:

  • They reference NServiceBus 7.7.x (7.7.4 or earlier) or 7.8.0 (other versions may be affected, but they are not supported)
  • They do not explicitly reference <PackageReference Include="System.Security.Cryptography.Xml" Version="4.7.1" /> or later

Questions or concerns regarding this advisory may be sent to security@particular.net.

System.Security.Cryptography.Xml vulnerability (CVE-2022-34716)

An information disclosure vulnerability exists in .NET Core 3.1 (3.1.27 and earlier) and .NET 6.0 (6.0.7 and earlier) that could lead to unauthorized access of privileged information. Details are available in the CVE-2022-34716 vulnerability disclosure from Microsoft.

In-depth details about the attack complexity, vector, and impact are available in the CVE-2022-34716 guidance from DevHub.

Affected versions

NServiceBus 7.7.x (7.7.4 and earlier) and 7.8.0 are affected by this vulnerability.

NServiceBus 8.0.0 and later are not affected.

(Other versions may be affected, but they are not supported.)

Risk mitigation

If it is not immediately possible to perform the fix listed below, as a workaround, the vulnerability may be removed by adding an explicit reference to System.Security.Cryptography.Xml 4.7.1:

<PackageReference Include="System.Security.Cryptography.Xml" Version="4.7.1" />

Fix

This vulnerability can be fixed by upgrading NServiceBus to the latest patch of a currently supported version.

Contact info

Questions or concerns regarding this advisory may be sent to security@particular.net.

Feedback