AnsweredAssumed Answered

ASP.NET DoS Vulnerability (KB2659883 and MS11-100)

Question asked by Kevin Sedran on Apr 17, 2012
Latest reply on Apr 18, 2012 by Caleb Corey

Hello,

 

When I run a VM scan against my server I am getting a potential denial of service vulnerability show up in the scan results.

My server is running Windows Server 2008 R2 SP1.

 

The suggested solution is to install the following patch, which I did, but the vulnerability still shows up in a scan:

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28570

This patch is for 2008 R2 x64 SP1 Systems with .net 4.0 installed.

 

My server has multiple versions of the .Net Framework installed; v2.0.50727, v3.0, v3.5, v4.0.30319

I noticed there is a patch for .net 3.5 as well. Does this patch also need to be installed?

What about patches for v2.0 and v3.0?

 

My asp.net app is built using the 4.0 version of the .net framework and is the only application that resides on the server. The server hosts nothing else other than my app. Should I uninstall the previous version of the .net framework, is that even possible?

 

There is also a workaround suggesting to reduce the <httpRuntime maxRequestLength="20”/>. My application allows the uploading of pictures, won't this throw an error if a user tries to upload an item >20KB?

 

Any suggestions on how to fix this vulnerability?

Thanks!!

Outcomes