mitigate CVE-2021-24112

[TimothyMothra]

Supersedes: #2704

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112

Our SDK has an implicit reference to System.Drawing.Common:

ApplicationInsights-dotnet/WEB/Src/PerformanceCollector/PerformanceCollector/Perf.csproj

Lines 30 to 32 in 35b1a30

	<ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
	<PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="1.0.0" />
	<PackageReference Include="System.Diagnostics.PerformanceCounter" Version="4.7.0" />

• Microsoft.ApplicationInsights.PerfCounterCollector
  • System.Diagnostics.PerformanceCounter https://www.nuget.org/packages/System.Diagnostics.PerformanceCounter/4.7.0
    • System.Configuration.ConfigurationManager https://www.nuget.org/packages/System.Configuration.ConfigurationManager/4.7.0
      • System.Security.Permissions https://www.nuget.org/packages/System.Security.Permissions/4.7.0
        • System.Windows.Extensions https://www.nuget.org/packages/System.Windows.Extensions/4.7.0
          • System.Drawing.Common https://www.nuget.org/packages/System.Drawing.Common/4.7.0

We could mitigate this by taking a dependency on System.Drawing.Common v4.7.2.

Instead, we're going to upgrade System.Diagnostics.PerformanceCounter from v4.7.0 to v6.0.0 to get a version of System.Drawing.Common without a vulnerability.

[ryan-shelby-byte]

Is this going to be in a beta release?

[TimothyMothra]

Hi @ryan-shelby-byte
Yes, this will be in 2.22-Beta2, but we don't have a release date planned yet.

As a temporary mitigation, you can take an explicit dependency on a newer version of System.Drawing.Common.