QID 982818
QID 982818: Dotnet (nuget) Security Update for MessagePack.UnityShims (GHSA-7q36-4xx7-xcxf)
Security update has been released for MessagePack,MessagePack.UnityShims,MessagePack.ReactiveProperty,MessagePack.ImmutableCollection to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by either of two vectors:
1. hash collisions - leading to large CPU consumption disproportionate to the size of the data being deserialized.
1. stack overflow - leading to the deserializing process crashing.
Solution
The following steps are required to mitigate this risk.
1. Upgrade to a version of the library where a fix is available
1. Add code to your application to put MessagePack into the defensive `UntrustedData` mode.
1. Identify all MessagePack extensions that implement `IMessagePackFormatter<T>` implementations that do not ship with the MessagePack library to include the security mitigations. This includes those acquired from 3rd party packages and classes included directly into your project. Any AOT formatters generated with the MPC tool must be regenerated with the patched version of mpc.
1. Review your messagepack-serializable data structures for hash-based collections that use custom or unusual types for the hashed key. See below for details on handling such situations.
Review the `MessagePackSecurity` class to tweak any settings as necessary to strike the right balance between performance, functionality, and security.
Specialized `IEqualityComparer<T>` implementations provide the hash collision resistance.
Each type of hashed key may require a specialized implementation of its own.
The patched MessagePack library includes many such implementations for primitive types commonly used as keys in hash-based collections.
If your data structures use custom types as keys in these hash-based collections,
putting MessagePack in `UntrustedData` mode may lead the deserializer to throw an exception
because no safe `IEqualityComparer<T>` is available for your custom `T` type.
You can provide your own safe implementation by deriving from the `MessagePackSecurity` class
and overriding the `GetHashCollisionResistantEqualityComparer<T>()` method to return your own
custom implementation when `T` matches your type, and fallback to `return base.GetHashCollisionResistantEqualityComparer<T>();` for types you do not have custom implementations for.
Unrelated to this advisory, but as general security guidance, you should also avoid the Typeless serializer/formatters/resolvers for untrusted data as that opens the door for the untrusted data to potentially deserialize unanticipated types that can compromise security.Workaround:
The security vulnerabilities are in the formatters.
Avoiding the built-in formatters entirely in favor of reading messagepack primitive data directly
or relying on carefully written custom formatters can provide a workaround.
MessagePack v1.x users may utilize the `MessagePackBinary` static class directly to read the data they expect.
MessagePack v2.x users may utilize the `MessagePackReader` struct directly to read the data they expect.
1. Upgrade to a version of the library where a fix is available
1. Add code to your application to put MessagePack into the defensive `UntrustedData` mode.
1. Identify all MessagePack extensions that implement `IMessagePackFormatter<T>` implementations that do not ship with the MessagePack library to include the security mitigations. This includes those acquired from 3rd party packages and classes included directly into your project. Any AOT formatters generated with the MPC tool must be regenerated with the patched version of mpc.
1. Review your messagepack-serializable data structures for hash-based collections that use custom or unusual types for the hashed key. See below for details on handling such situations.
Review the `MessagePackSecurity` class to tweak any settings as necessary to strike the right balance between performance, functionality, and security.
Specialized `IEqualityComparer<T>` implementations provide the hash collision resistance.
Each type of hashed key may require a specialized implementation of its own.
The patched MessagePack library includes many such implementations for primitive types commonly used as keys in hash-based collections.
If your data structures use custom types as keys in these hash-based collections,
putting MessagePack in `UntrustedData` mode may lead the deserializer to throw an exception
because no safe `IEqualityComparer<T>` is available for your custom `T` type.
You can provide your own safe implementation by deriving from the `MessagePackSecurity` class
and overriding the `GetHashCollisionResistantEqualityComparer<T>()` method to return your own
custom implementation when `T` matches your type, and fallback to `return base.GetHashCollisionResistantEqualityComparer<T>();` for types you do not have custom implementations for.
Unrelated to this advisory, but as general security guidance, you should also avoid the Typeless serializer/formatters/resolvers for untrusted data as that opens the door for the untrusted data to potentially deserialize unanticipated types that can compromise security.Workaround:
The security vulnerabilities are in the formatters.
Avoiding the built-in formatters entirely in favor of reading messagepack primitive data directly
or relying on carefully written custom formatters can provide a workaround.
MessagePack v1.x users may utilize the `MessagePackBinary` static class directly to read the data they expect.
MessagePack v2.x users may utilize the `MessagePackReader` struct directly to read the data they expect.
Vendor References
- GHSA-7q36-4xx7-xcxf -
github.com/advisories/GHSA-7q36-4xx7-xcxf
CVEs related to QID 982818
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-7q36-4xx7-xcxf | MessagePack |
github.com/advisories/GHSA-7q36-4xx7-xcxf |
|
| GHSA-7q36-4xx7-xcxf | MessagePack.ImmutableCollection |
github.com/advisories/GHSA-7q36-4xx7-xcxf |
|
| GHSA-7q36-4xx7-xcxf | MessagePack.ReactiveProperty |
github.com/advisories/GHSA-7q36-4xx7-xcxf |
|
| GHSA-7q36-4xx7-xcxf | MessagePack.UnityShims |
github.com/advisories/GHSA-7q36-4xx7-xcxf |