Skip to main content
commvault.com commvault.com

Hello Commvault Community!

 

Vulnerability topic for .Net Core - came back several times, but I want to make sure about this topic.

We have an environment that has already gone through many updates of various FRs and there are remnants of previous .Net Core versions. (currently the environment runs on FR24). The documentation says that version 4.6 is required, so can we remove all packages below on all CommServes (Active and Passiv) and install for version 4.6?

Client: xyz1

QID-106105
EOL/Obsolete Software: Microsoft .Net Core Version 3.1 Detected

Client: xyz1

QID-38794
Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)

Client: xyz2

QID-106105
EOL/Obsolete Software: Microsoft .Net Core Version 3.1 Detected

TLSv1.1 is supported

Versions:

- OS - Windows 2016
- SQL Server - 13.0.5893.48
- Commvault environment version - 11.24.48

".NET Core 3.1 End of life
.NET Core 3.1 will reach end of life on December 13, 2022, as described in .NET Releases and per .NET Release Policies. After that time, .NET Core 3.1 patch updates will no longer be provided. We recommend that you move any .NET Core 3.1 applications and environments to .NET 6.0. It'll be an easy upgrade in most cases. The .NET Releases page is the best place to look for release lifecycle information. Knowing key dates helps you make informed decisions about when to upgrade or make other changes to your software and computing environment."

 

Thanks for help & Regards,
Kamil

Good afternoon.  If you would like to move to .NET 4.6 you will have to update to CPR2022E (FR28).  You can see the list of third party installations for CPR2022E here:

https://documentation.commvault.com/2023/expert/121377_third_party_applications_installed_by_commvault_installer.html

 

 

Hi @Orazan 

Yes, but the Customer does not currently want to upgrade to FR28, but wants to stay on FR24 and remove the vulnerability for .NET Core 3.1.

When I entered the same article you send but for SP24 we can see the same versions for Third Party Applications. Can someone confirm that for SP24 it will be possible to install .NET 4.6 or higher?
 

https://documentation.commvault.com/11.24/expert/121377_third_party_applications_installed_by_commvault_installer.html
 

My main question was whether being on SP24 we can safely remove "old" versions of .NET - the vulnerability was found for .NET 3.1.

Thanks,
Kamil

On Feature Release 24, some of the earlier versions of .NET are required.  That was the reason for the recommendation to move to FR28.

Hi @Orazan 

 

Vulnerability issue for .NET, we've clarified. What about the TLS vulnerability then? Can you still help me on this topic?

Client: xyz1

QID-38794
Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)

 

Good morning.  Can you please tell me if the information in this post is helpful?

 

 

Reply


Terms & ConditionsCookie settings