We have released security updates to supported versions of Microsoft.Data.SqlClient and System.Data.SqlClient. It is recommended to update references to these versions as soon as possible.
A new security vulnerability was announced in the .NET SqlClient drivers that allows an attacker to silently bypass encryption in the connection between a client and a server. The details are discussed in the CVE:
We've released to following hotfix packages to address this important security issue:
What, specifically, do you need to do?
If you are using System.Data.SqlClient from .NET Framework, Windows automatic updates will install the January 2024 update(s) for .NET Framework. If automatic updates are disabled, the .NET Framework update listed in the CVE will need to be manually applied.
Applications using either the System.Data.SqlClient or Microsoft.Data.SqlClient NuGet Packages need to do the following to be protected:
An updated version of Microsoft.Data.SqlClient, version 5.1.4, was also released that upgrades the Azure.Identity
dependency version to 1.10.3 , which addresses CVE-2023-36414 in that library. (release notes) (download)
For a list of supported versions of Microsoft.Data.SqlClient and their support lifecycle, see the SqlClient driver support lifecycle.
David Engel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.