Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008 SP2 (KB4566520)

Applies to: .NET Framework

Notice


On July 23, 2020, update KB4565616 v2 and KB4565623 v2 were released to replace v1 of those updates for .NET Framework 4.5.2 and 4.6 for Windows Server 2008 SP2. The v1 updates did not install for customers who had certain ESU configurations.  The v2 updates correct the issue for customers who could not install the v1 updates.  


If you have already installed v1 of these updates, no action is necessary.  


To obtain v2 of these updates, see the “How to obtain and install the update” section of the individual update article.  Links to each article are found in the "Additional information about this update section" of this article.

Summary


A remote code execution vulnerability exists in .NET Framework when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content. To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content. The security update addresses the vulnerability by correcting how .NET Framework validates the source markup of XML content.

This security update affects how .NET Framework's System.Data.DataTable and System.Data.DataSet types read XML-serialized data. Most .NET Framework applications will not experience any behavioral change after the update is installed. For more information on how the update affects .NET Framework, including examples of scenarios which may be affected, please see the DataTable and DataSet security guidance document at https://go.microsoft.com/fwlink/?linkid=2132227.

To learn more about the vulnerabilities, go to the following Common Vulnerabilities and Exposures (CVE).

Additional information about this update


The following articles contain additional information about this update as it relates to individual product versions.
 
  • 4565611 Description of the Security and Quality Rollup for .NET Framework 2.0, 3.0 for Windows Server 2008 SP2 (KB4565611)
  • 4565616 Description of the Security and Quality Rollup for .NET Framework 4.5.2 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 (KB4565616)
  • 4565623 Description of the Security and Quality Rollup for .NET Framework 4.6 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 (KB4565623)

Information about protection and security