Dependency on .NET 6 and vulnerability CVE-2024-43485 [System.Text.Json]

Question

Dependency on .NET 6 and vulnerability CVE-2024-43485 [System.Text.Json]

Closed this issue 11 days ago · 6 comments

Is your feature request related to a problem? Please describe.
This is a feature request.

First of all, thank you for this great library. It's really useful for us.

We import Microsoft.ApplicationInsights.Kubernetes as nuget package on all our .NET 8 cloud services.
Since recently our vulnerability scans report the following critical vulnerability: CVE-2024-43485.

Microsoft recommends upgrade of System.Text.Json library to 8.0.5

We don't have a direct dependency on System.Text.Json. Therefore, we reviewed how it was used as a secondary dependency.
After ensuring all our dependencies are up to date, we noticed that System.Text.Json is referenced by two libraries:

Microsoft.ApplicationInsights.AspNetCore is a .NET standard library and is happy with Microsoft.Extensions.Configuration.Json >= 3.0.0. Microsoft.ApplicationsInsights.Kubernetes on the other side targets .NET 6. This leads me to think that ApplicationInsights.Kubernetes forces the framework to resolve a lower version of System.Text.Json. This lower version is vulnerable.

Describe the solution you'd like
I would like the library to have support for .NET 8. This will solve lots of vulnerabilities that are already appearing. Given that this is the only solution provided by Microsoft to log Kubernetes telemetry, I think it's critical that the migration happens, regardless. Microsoft will end support for .NET 6 this November.

Is there any plan for this?

Describe alternatives you've considered
The only way to unblock us is to introduce an artificial dependency on System.Text.Json version 8.0.5, which is not ideal.

Answer 1 · 2024-12-04T20:16:55.000Z

I'll take a look.

Answer 2 · 2024-12-04T23:28:08.000Z

Dig into the dependency tree, and it looks like we do have a few dependencies on System.Text.Json/6.0.0:

I'll look into how to fix the issue.

Answer 3 · 2024-12-05T00:40:49.000Z

/pull/376 shall address the issue.

Answer 4 · 2024-12-05T08:20:54.000Z

That's amazing, thank you so much!

Where can I check the lifecycle of changes within this package (or Microsoft's packages) so I can be prepared to upgrade to the prod version?
I see the new version is released as '-beta' at the moment

Answer 5 · 2024-12-05T18:00:58.000Z

@GimmeDaKitty Thanks for getting back. The new package is released:

https://www.nuget.org/packages/Microsoft.ApplicationInsights.Kubernetes/7.0.1-beta2

With regarding the life cycle, usually, a stable will following a couple of betas. You might find some specific days here in the milestones:

https://github.com/microsoft/ApplicationInsights-Kubernetes/milestones

Also, feel free to request if you need a specific implementation to be released soon.

Does that answer your question, or could you please elaborate on what info do you need?

Thanks.

Answer 6 · 2024-12-06T08:27:02.000Z

I checked the beta and it solves the problem for us, at least for one of our services. So for now this can be closed.
Thank you for the help!