SONATYPE Vulnerability using IKVM package

[TapestryC]

When I reference IKVM package, SONATYPE caught couple vulnerability. The only recommendation is using the latest version which I am (8.7.5 & 8.7.6). Any plan IKVM will fix those? Thanks.

Vulnerable OSS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Recommended Version(s): No recommended versions are available for the current component.
.NET Denial of Service Vulnerability
Explanation: The Microsoft.NETCore.App.Runtime packages for macOS and Linux are vulnerable to a Denial of Service (DoS) attack. The CryptoNative_GetX509NameInfo() function in openssl.c fails to account for X509 certificates containing alternate names that resolve to NULL values. A remote attacker can exploit this vulnerability with crafted certificates that, when consumed, may crash affected applications due to uncaught exceptions.
Detection: The application is vulnerable by using this component.
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

---

Vulnerable OSS
[email protected]?nexusnamespace=Microsoft%20Corporation%2FMicrosoft%C2%AE%20.NET&nexustype=pecoff
[email protected]?nexusnamespace=Microsoft%20Corporation%2FMicrosoft%C2%AE%20.NET&nexustype=pecoff

Recommended Version(s): No recommended versions are available for the current component.
.NET Core and Visual Studio Denial of Service Vulnerability
Explanation: The Microsoft.NETCore.App.Runtime packages for Windows are vulnerable to a Denial of Service (DoS) attack. The HandleEventPeerStreamStarted() method of the QuicConnection class releases the peer-provided stream capacity from memory before releasing client streams. A remote attacker can exploit this vulnerability by submitting a large number of closed streams in order to surpass configured stream limits. This may cause affected applications to consume all of their available resources, resulting in a DoS condition.
Detection: The application is vulnerable by using this component. Applications running .NET 6 are only vulnerable if they enable the HTTP/3 preview feature.

Reference:
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

[wasabii]

Since this is in the build tools, and the vuln has something to do with Quic and opensshl, neither of which are used by the build tools.... and it's a DoS attack.... this is pretty minimal.

But otherwise, what's happening is the build tools have an embedded copy of .NET in them, since they're published self contained. So, presumably, next release the bug will go away, as it's likely to just be built with the latest version of .NET.