We have released security updates to supported versions of Microsoft.Data.SqlClient and System.Data.SqlClient. It is recommended to update references to these versions as soon as possible.
A new security vulnerability was announced in the .NET SqlClient drivers that allows an attacker to silently bypass encryption in the connection between a client and a server. The details are discussed in the CVE:
CVE-2024-0056 - Security Update Guide - Microsoft - Microsoft.Data.SqlClient and System.Data.SqlClie...
We've released to following hotfix packages to address this important security issue:
What, specifically, do you need to do?
If you are using System.Data.SqlClient from .NET Framework, Windows automatic updates will install the January 2024 update(s) for .NET Framework. If automatic updates are disabled, the .NET Framework update listed in the CVE will need to be manually applied.
Applications using either the System.Data.SqlClient or Microsoft.Data.SqlClient NuGet Packages need to do the following to be protected:
- If you are using System.Data.SqlClient on .NET Core, .NET 6, .NET 7, or .NET 8, you must update your application's NuGet package reference to 4.8.6.
- If you are using the System.Data.SqlClient NuGet package and targeting .NET Framework, you need the January 2024 update(s) for .NET Framework. Updating the NuGet reference is not technically required but is good code hygiene.
- If you are using Microsoft.Data.SqlClient, anywhere (.NET Core, .NET 6/7/8, .NET Framework) and you are using a version that is vulnerable you must update your NuGet package reference to an updated version: 2.1.7, 3.1.5, 4.0.5, or 5.1.3
An updated version of Microsoft.Data.SqlClient, version 5.1.4, was also released that upgrades the Azure.Identity dependency version to 1.10.3 , which addresses CVE-2023-36414 in that library. (release notes) (download)
For a list of supported versions of Microsoft.Data.SqlClient and their support lifecycle, see the SqlClient driver support lifecycle.
David Engel
