Headline
GHSA-wq34-7f4g-953v: Csla affected by Remote Code Execution via WcfProxy (NetDataContractSerializer)
Impact
Versions of CSLA .NET prior to version 6 allow the use of WcfProxy. WcfProxy uses the NetDataContractSerializer (NDCS) which has known vulnerabilities that can allow remote execution of code during deserialization. NDCS itself is considered obsolete, and you should avoid using WcfProxy or upgrade to CSLA 6 or higher where this issue does not exist.
Patches
CSLA .NET version 6 and higher do not use WCF or NetDataContractSerializer.
Workarounds
If you are using a version CSLA .NET older than version 6, you should stop using WcfProxy in your data portal configuration. Doing this avoids the use of WCF and the NetDataContractSerializer, avoiding the vulnerability.
Impact
Versions of CSLA .NET prior to version 6 allow the use of WcfProxy. WcfProxy uses the NetDataContractSerializer (NDCS) which has known vulnerabilities that can allow remote execution of code during deserialization. NDCS itself is considered obsolete, and you should avoid using WcfProxy or upgrade to CSLA 6 or higher where this issue does not exist.
Patches
CSLA .NET version 6 and higher do not use WCF or NetDataContractSerializer.
Workarounds
If you are using a version CSLA .NET older than version 6, you should stop using WcfProxy in your data portal configuration. Doing this avoids the use of WCF and the NetDataContractSerializer, avoiding the vulnerability.
References
- GHSA-wq34-7f4g-953v
- https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2310