• .NET
  • C#
  • ASP.NET Core

Related articles

.NET 7: What's new in ASP.NET Core?
.NET 7: What's new in ASP.NET Core?
  • Home
  • .NET blog
  • .NET 7 apps are now vulnerable and must be updated now!

.NET 7 apps are now vulnerable and must be updated now!

Published: Monday 27 May 2024

If you have an application running with .NET 7, you must update it now!

By not doing so, your application is at risk of known bugs and security vulnerabilities.

End of life

.NET 7 was set to End of Life (or EOL) on 14th May 2024. What this means is that Microsoft no longer provides fixes, updates, or online technical assistance for any versions with this status.

This is criticial because if someone was to flag a bug or a security vulnerability with .NET 7, Microsoft would not be expected to provide a fix and subsquently, it would not be updated.

The solution for this is to update to a version that is currently supported. Microsoft's .NET Core support policy page provides the current versions that are currently supported.

Why is an earlier version of .NET still supported?

Microsoft release a new major version of .NET every November, and each version alternates between Standard Term Support (or STS) and Long Term Support (or LTS).

STS versions are given patches for 18 months, whereas LTS versions are given a full three years of support.

The type of support a .NET version is given is based on its version number. If it's an even number, it's given LTS. Whereas, if it's an odd number, it's given STS.

As .NET 7's version is an odd number, it was only given 18 months of support. Whereas .NET 6's version is an even number, so it was given LTS and has support for a further six months after the .NET 7 support was ended, despite it being released 12 months before.

Version Release date End of support
.NET 6 (LTS) 8th November 2021 12th November 2024
.NET 7 (STS) 8th November 2022 14th May 2024
.NET 8 (LTS) 14th November 2023 10th November 2026

Why should you update?

Microsoft state in their .NET Core support policy that "out-of-support .NET versions may put your applications, application data, and computing environment at risk."

As well as the vulnerabilities, newer versions have updates to .NET and C# which are not included in .NET 7. New features for .NET 8 and C# 12 included keyed services and primary constructors, amongst others.

And if you use Azure agents for CI and CD YAML pipelines, there is a high chance it will remove "out of support" versions from their agents in the near future if it hasn't done so already.

How do you update?

First of all, you need to download the SDK of the .NET version you are going to use.

You can do that by going to the Download .NET page on the Microsoft website. From there, you can decide on which version to upgrade to and installing the latest update for it.

If you're using Visual Studio

When updating Visual Studio, it should download the latest .NET SDK.

To update Visual Studio, go to Help and Check for Updates from the top menu.

If you need to update, the screen will prompt you to do so.
Update Visual Studio 2022 to 17.9.7

Update Visual Studio 2022 to 17.9.7

Once you've updated, you can see what versions of the .NET SDK are installed on your machine.

To do that, you can open up a PowerShell window and run:

dotnet --list-sdks
Lists the versions of the .NET SDK installed

Lists the versions of the .NET SDK installed

If the version you wish to update has been installed, you are good to go.

If you're using Visual Studio Code

If the version isn't installed, or you are using Visual Studio Code, you'll need to download the .NET SDK from the Microsoft website.

Select the version you wish to install:
Download one of the supported .NET versions

Download one of the supported .NET versions

This will take you through to a page with all the updates for that version. We recommend that you install the latest release for it.

You'll then have to install the SDK for the operating system that you are using.

Make sure that it's the SDK you install, and not the Runtime.
Download the .NET SDK onto your machine depending on your operating system

Download the .NET SDK onto your machine depending on your operating system

Go ahead and install it and you should be good to go.

Update projects

Now you will have to update each project in your application to the .NET version that you are using.

This will be the .csproj file which is the project file for your application.

If you're using Visual Studio, you can right-click on the project and go to Edit Project File.

From there, you can change the <TargetFramework> tag from net7.0 to the version you wish to update it to.

For example, if you wish to update to .NET 8, you would change it to net8.0.

<Project Sdk="Microsoft.NET.Sdk.Web">

	<PropertyGroup>
		<TargetFramework>net8.0</TargetFramework>
		<Nullable>enable</Nullable>
		<ImplicitUsings>enable</ImplicitUsings>
	</PropertyGroup>
	...
</Project>

Update Docker

If you're using Docker, you'll need to update the Docker file named Dockerfile.

Inside there, updates the version from 7.0 to the version that you are updating to:

# ASP.NET Core Runtime (update to .NET 8)
FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443

# .NET SDK (update to .NET 8)
FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
ARG BUILD_CONFIGURATION=Release

...

Update NuGet packages

You'll also have to update all the Microsoft.AspNetCore NuGet packages to the version that you are using as a minimum.

In-fact, we recommend that you upgrade all NuGet packages to the latest version if you can.

In Visual Studio, you can do that by going to Tools, NuGet Package Manager and Manage Packages for Solution from the top menu.

Select the Updates tab and select the packages you wish to update.
Upgrade NuGet packages for your solution in Visual Studio

Upgrade NuGet packages for your solution in Visual Studio

Publish your application as self-contained

If you are publishing your application, you can publish it as self-contained meaning the published files also contains the .NET runtime and libraries as well as your application. This means you don't need to update or install the ASP.NET Core Runtime on your machine.

To publish your application as self-contained, you can run the following command line from a PowerShell window with the --self-contained parameter included.

dotnet publish RoundTheCode.DotNetUpgrade.csproj -c Release -o publish --self-contained

The parameters are as follows:

  • -c = The configuration (Debug or Release)
  • -o = The folder to publish the files to
  • --self-contained = Publishes it as a self-contained application

Installing the ASP.NET Core Runtime

If you wish to install or update the ASP.NET Core Runtime onto your machine, you'll need to download it from the Microsoft website.

Select the version you are using and then download the Runtime version depending on your operating system.

When installing it onto your server, expect a little bit of downtime on your application whilst the installation takes place.

If you are using a Windows Server and using IIS to host your application, you'll need to install the Windows Hosting Bundle.
Install the .NET runtime depending on which operating system you'll using

Install the .NET runtime depending on which operating system you'll using

Watch the video

Watch our video where we go through these steps so you can follow along and update your application to a .NET version that is in support.