Organizations face different patching requirements depending on their deployment model. Applications using framework-dependent deployments rely on the .NET runtime installed on the server, meaning administrators must update the server itself. Those using self-contained deployments, which bundle the runtime with the application, must rebuild and redeploy each affected application individually.
Microsoft released patched versions across all supported releases. Developers should upgrade to .NET 8.0.21 Runtime or .NET 8.0.318 SDK for version 8, .NET 9.0.10 Runtime or .NET 9.0.111 SDK for version 9, or .NET 10.0.0-rc.2.25476.107 Runtime for the version 10 pre-release, the advisory said. For legacy ASP.NET Core 2.x applications, Microsoft released Kestrel.Core package version 2.3.6 through NuGet.
Some may already be protected
Not all organizations may need to take immediate action, however. One mitigating factor is that applications protected by reverse proxies or API gateways may already have adequate defenses, Dorrans said.
