AnsweredAssumed Answered

ASP.NET DoS Vulnerability (KB2659883 and MS11-100)

Question asked by Kevin Sedran on Apr 17, 2012
Latest reply on Apr 18, 2012 by Caleb Corey



When I run a VM scan against my server I am getting a potential denial of service vulnerability show up in the scan results.

My server is running Windows Server 2008 R2 SP1.


The suggested solution is to install the following patch, which I did, but the vulnerability still shows up in a scan:

This patch is for 2008 R2 x64 SP1 Systems with .net 4.0 installed.


My server has multiple versions of the .Net Framework installed; v2.0.50727, v3.0, v3.5, v4.0.30319

I noticed there is a patch for .net 3.5 as well. Does this patch also need to be installed?

What about patches for v2.0 and v3.0?


My app is built using the 4.0 version of the .net framework and is the only application that resides on the server. The server hosts nothing else other than my app. Should I uninstall the previous version of the .net framework, is that even possible?


There is also a workaround suggesting to reduce the <httpRuntime maxRequestLength="20”/>. My application allows the uploading of pictures, won't this throw an error if a user tries to upload an item >20KB?


Any suggestions on how to fix this vulnerability?