commvault.com commvault.com
Solved

Vulnerability for Microsoft .Net Core 3.1

  • 30 January 2023
  • 5 replies
  • 1855 views
K
Rank
Userlevel 4

Hello Commvault Community!

 

Vulnerability topic for .Net Core - came back several times, but I want to make sure about this topic.

We have an environment that has already gone through many updates of various FRs and there are remnants of previous .Net Core versions. (currently the environment runs on FR24). The documentation says that version 4.6 is required, so can we remove all packages below on all CommServes (Active and Passiv) and install for version 4.6?

Client: xyz1

QID-106105
EOL/Obsolete Software: Microsoft .Net Core Version 3.1 Detected

Client: xyz1

QID-38794
Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)

Client: xyz2

QID-106105
EOL/Obsolete Software: Microsoft .Net Core Version 3.1 Detected

TLSv1.1 is supported

Versions:

- OS - Windows 2016
- SQL Server - 13.0.5893.48
- Commvault environment version - 11.24.48

".NET Core 3.1 End of life
.NET Core 3.1 will reach end of life on December 13, 2022, as described in .NET Releases and per .NET Release Policies. After that time, .NET Core 3.1 patch updates will no longer be provided. We recommend that you move any .NET Core 3.1 applications and environments to .NET 6.0. It'll be an easy upgrade in most cases. The .NET Releases page is the best place to look for release lifecycle information. Knowing key dates helps you make informed decisions about when to upgrade or make other changes to your software and computing environment."

 

Thanks for help & Regards,
Kamil

icon

Best answer by Orazan 3 February 2023, 10:23

View original

5 replies

O
Rank
Userlevel 6
Badge +15

Good afternoon.  If you would like to move to .NET 4.6 you will have to update to CPR2022E (FR28).  You can see the list of third party installations for CPR2022E here:

https://documentation.commvault.com/2023/expert/121377_third_party_applications_installed_by_commvault_installer.html

 

 

K
Rank
Userlevel 4

Hi @Orazan 

Yes, but the Customer does not currently want to upgrade to FR28, but wants to stay on FR24 and remove the vulnerability for .NET Core 3.1.

When I entered the same article you send but for SP24 we can see the same versions for Third Party Applications. Can someone confirm that for SP24 it will be possible to install .NET 4.6 or higher?
 

https://documentation.commvault.com/11.24/expert/121377_third_party_applications_installed_by_commvault_installer.html
 

My main question was whether being on SP24 we can safely remove "old" versions of .NET - the vulnerability was found for .NET 3.1.

Thanks,
Kamil

O
Rank
Userlevel 6
Badge +15

On Feature Release 24, some of the earlier versions of .NET are required.  That was the reason for the recommendation to move to FR28.

K
Rank
Userlevel 4

Hi @Orazan 

 

Vulnerability issue for .NET, we've clarified. What about the TLS vulnerability then? Can you still help me on this topic?

Client: xyz1

QID-38794
Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)

 

O
Rank
Userlevel 6
Badge +15

Good morning.  Can you please tell me if the information in this post is helpful?

 

 

Reply


Terms & ConditionsCookie settings