Rank 1
While scanning our projects for security vulnerabilites, we noticed that Telerik.UI.for.AspNet.Core 2023.2.606 references an of .NET Core 2.1 which is 5 years old and long since unsupported? This means that using Telerik.UI.for.AspNet.Core immediately introduces the critical security vulnerabilies present in .NET Core 2.1. Why does it depend on this ancient version of .NET?
Here is a new completely empty project created just now (July 2023!) and you can see the references to .NET Core 2.1:
And here's a resulting security scan of this empty project:
Is .NET Core still supported by Telerik because it seems odd this hasn't been fixed in 5 years.
1 Answer, 1 is accepted
Hello Nick,
Thank you for reaching out. I do understand your concerns and would like to elaborate on why this is the case. Telerik UI for ASP.NET Core targets netstandard2.0 and some of the older versions referenced are the minimal versions required, so we can ensure the product will be compatible with older versions of .NET Core. We have clients still running .NET5 of .NET Core 3.1, or event .NET Core 2.1 and using the library. That said it is possible to use up-to-date versions of the packages and you can install the desired versions via NuGet.
You can use Newtonsoft.Json, update to a later version, or use System.Text.Json, if preferred. The JSON serialization article demonstrates the configuration required for both System.Text.Json and Newtonsoft.Json when Telerik UI for ASP.NET Core package is used.
System.Text.Encodings.Web - due to the above backwards compatibility reason we specify the lowest required version. You can, for example, add the latest stable version of the System.Text.Encodings.Web NuGet package - v7.0 - to ensure this is mitigated
In regards to the System.Text.RegularExpressions v4.3.0 - Telerik.UI.for.AspNet.Core package depends on System.Data.Common (4.1.0) which in itself has a dependency on System.Text.RegularExpressions (4.3.0). This issue logged in the dotnet repository discusses this particular package. Based on the information provided in that item the flag should be considered a false positive as System.Text.RegularExpressions reference is present for backwards compatibility, but will not be applied on .NET Core 2.0 and later versions where the implementation is provided by the shared framework.
I hope this answers your questions and addresses your concerns. Feel free to add any additional comments or concerns you may have, so we can review and address them accordingly.
Regards,
Aleksandar
Progress Telerik
Rank 1
Thanks for your reply.
Wouldn't it be safer for Telerik to target libaries which have a minimum version of a currently supported and vulnerability free status? .NET 2.1 hasn't been supported for several years and nobody should still be using it (and therefore Telerik also shouldn't support it if Microsoft themselves don't even support it).
Thanks
Nick
Hi Nick,
Your concerns are justified and I personally understand that having a version that has reached its end of life may indeed not seem the best practice overall.
To be frank, the update to a minimal LTS version is a delicate matter. One of the most main reasons is that this may cause clients or corporations that depend on prior .NET frameworks which are supported (for example 2.1) to further induct detrimental changes to their infrastructure as my colleague Aleksander mentioned in his previous reply. This may come at a great cost as their infrastructure may be intangible for such a migration overall.
At this stage, the majority of the packages you have outlined are external and we depend indirectly on them, you should be able to update the respective versions that have reported vulnerabilities on your end to further obscure the security warning.
Rest assured, I will further address your feedback to our management team and explore whether we can proceed with such an endeavor given the aforementioned circumstances.
Rank 1
Hi Alex,
.NET Core 2.1 became unsupported 2 years ago on August 2021. The only supported versions now are .NET 6.0 (LTS) and .NET 7. Thats the point I was trying to make is why are Telerik targetting/supporting versions which are many years out of support?
See: https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core
Thanks,
Nick
Hi Nick,
The sole reason for us keeping prior .NET Core versioning support is from a client perspective. I personally understand the point you are trying to make and your point is indeed really valid.
Indeed, we strive to follow Microsoft's strategies however due to the delicacy of the matter embarking on setting a minimum version to .NET 6 whilst bumping all of the assemblies would inevitably prove harmul to clients that are utilizing prior versions and this may cause backfire to the product itself.
The best thing I can do at this point would be to further address your concerns directly to my Manager, as your feedback means a lot to us and at the risk of repeating myself, is a valid one.
Hi Nick,
I am updating this forum thread in order to let you know that I have additionally raised your concerns with our management and development team. From our internal discussion, we concluded that indeed an option for bumping the dependencies to a non-vulnerable version can be explored and evaluated further.
Thus, we will log an additional internal issue in order to track its progress and validate whether we can proceed accordingly with this initiative.
I am personally taking on the responsibility of updating this thread regarding the issue's status in order for the community to be familiar with the progress as well.
For further helping us identify this, I have also updated your Telerik points as a token of appreciation.