im going to counter argue hosting bundle being updated the underlying asp.net core shared frameworks (x64 & x86) are updated. the underlying.net core runtimes (x64 & x86) are updated. this is leaving behind aspnetcorev2.dll (under c:program filesiisasp.net core modulev2) on the original vulnerable version. image this particular server is patched via sccm (cb) up until today we have not been syncing the wsus classification/products for dotnet core. i have turned it on today, forced a sup sync and created and adr which is targeting a couple of test machines.
an attacker could cause an application to terminate unexpectedly by leveraging a vulnerability in the.net core runtime. an attacker could exploit this issue by submitting specially crafted file, or by tricking a user into opening and/or running a specially crafted application.
before applying this update, we recommend that you carefully review the updates that will be installed with this update. it is generally safer to apply this update by using the automated tool, which can detect if applications are open when this update is applied. if you must apply this update manually, you must first reboot any machines that are running.net core versions earlier than 2.2.411.5. for more information, see .
microsoft has confirmed that this issue exists and is actively working with the affected vendors to rapidly fix the issue. the following organizations provided invaluable assistance in identifying this issue: chloé girard, julien just, thomas petazzoni, and marc rogers.