Vulnerability scans reveals vulnerabilities on ASP.NET on the Commvault servers.

  • 12 February 2021
  • 20 replies
  • 597 views

Userlevel 2
Badge +4

In one of my customer's environment, vulnerability scans reveals vulnerabilities on ASP.NET on the Commvault servers. Have anyone did a .net framework update to latest 4.x and uninstalled the older one? Here is the files getting caught under vulnerability:  

 

Security Update for Microsoft ASP.NET Core (DoS) (August 2020)             "  Path              : C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App\2.1.16  Installed version : 2.1.16


20 replies

Userlevel 7
Badge +14

Hi Anuj

Thanks for the question, I have done a little research on this and I have found:

https://documentation.commvault.com/commvault/v11_sp20/article?p=2839_2.htm

Note: If it is necessary to upgrade the .NET Core Hosting Bundle to the latest version, run ASP.NET Core Runtime 2.1.x.

Checking this on Microsoft’s website, looks like 2.1.25 is the current version right now:
https://dotnet.microsoft.com/download/dotnet-core

Please allow me some time to check this internally to confirm if the best next step is to update your customer’s installation from 2.1.16 to 2.1.25.

Thanks,

Stuart

Userlevel 2
Badge +4

Thanks a ton Stuart…  

I will wait for you further input..

 

Thanks,

Anuj

Userlevel 5
Badge +10

If you upgrade to FR22 than it will updated to version 2.1.18, but that version is also pretty old (2020-05-12) so I think also because of this sentence "Note: If it is necessary to upgrade the .NET Core Hosting Bundle to the latest version, run ASP.NET Core Runtime 2.1.x." that you can update to the latest version.

Of course thee is always a small risk of breakage so maybe you can sin-up a quick test setup and install it to verify it.

Userlevel 2
Badge +4

Thanks for your input Onno..

Userlevel 2
Badge +4

Hi Anuj

Thanks for the question, I have done a little research on this and I have found:

https://documentation.commvault.com/commvault/v11_sp20/article?p=2839_2.htm

Note: If it is necessary to upgrade the .NET Core Hosting Bundle to the latest version, run ASP.NET Core Runtime 2.1.x.

Checking this on Microsoft’s website, looks like 2.1.25 is the current version right now:
https://dotnet.microsoft.com/download/dotnet-core

Please allow me some time to check this internally to confirm if the best next step is to update your customer’s installation from 2.1.16 to 2.1.25.

Thanks,

Stuart

 

Hi Stuart,

Have you been lucky to have any further input on this from your internal sources? 

Thanks,

Anuj

Badge

Hi @Anuj , will update you once we have checked it out, we are running through our automation to make sure there isnt any issue with the framework upgrade.

Userlevel 7
Badge +14

Hi @Anuj and @Onno van den Berg 

Sorry for the delay in responding, Development have been running some internal testing and have now confirmed you should update to ASP .net core 2.1.25.

Thanks,

Stuart

Userlevel 2
Badge +4

Thank you Stuart….   much appreciate :slight_smile:

Userlevel 1
Badge +3

Hi @Stuart Painter ,

This thread is perfect for my query.  There’s a revision to the ASP.NET core to version 2.1.30 - Can you confirm this is OK to deploy after internal testing?

I’m specifically interested in version 11.20.67

Userlevel 7
Badge +23

Glad to hear it, @SLodge_IW .  I’ll check with @Stuart Painter about his internal thread so we can confirm for you :nerd:

Userlevel 7
Badge +14

Hi @SLodge_IW 

I’ll follow up with Development internally to check ASP.NET Core 2.1.30 for you.

Thanks,

Stuart

Userlevel 1
Badge +3

Thank you @Stuart Painter  :relaxed:

I was going to raise a separate topic  with this question, but it’s directly relevant to the question @Anuj raised so I’ll include it here. 

Note that I went ahead and installed ASP.NET Core Hosting Bundle 2.1.30 and tested the functions we use in Commvault with no issues.  I then ran a new vulnerability scan and while most issues were resolved, the highest severity one remains.

The vulnerability management system provided by Qualys has raised a specific identifier for this vulnerability with the highest severity, 5.  Labelled “EOL/Obsolete Software: Microsoft .Net Core Version 2.1 Detected” the threat is described as “The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more prone to vulnerabilities.” with further detail “Technical support and service pack support for  Microsoft .Net Core Version 2.1 ended on August 21, 2021.” . 

The ASP.NET Core Hosting Bundle 2.1.30 is the latest release with the release date of 2021-08-17.

What does Commvault use ASP.NET 2.1.x for?

Can we use a later version instead like 3.1 or 5.0?

If we remove ASP.NET 2.1.x how does this affect the Commserve?

Does Commvault have a recommendation to satisfy the compliance issues that this vulnerability imposes?

I’m happy to open a support case if that helps.

 

 

Userlevel 7
Badge +14

Hi @SLodge_IW 

ASP.NET Core is used by Web Server and provides the web endpoint connection for Web Console and Command Center to query the Commserve database.

I’m pleased to hear you’ve been able to update to 2.1.30 without any issues.

Development inform me that from FR11.24, ASP.NET Core has been updated to 3.1.13.

If you don’t wish to update to FR11.24, but would like to have the vulnerability highlighted in ASP.NET Core 2.1.x, then the best next step is to raise a support case for further investigations.

Thanks,

Stuart

Userlevel 1
Badge +3

Thanks for the quick response @Stuart Painter:grinning:

Since FR11.24 is an LTS release that seems like the appropriate next step for our needs.  I’ll see how that affects our plans and will log a support case if I need to take this further.

Userlevel 2
Badge +10

@Stuart Painter 

I have small question during the FR.11.24. So everything is fine i update environment and now i have net core version 3.1.x but can i uninstall without problem old version (on red) 

 

Userlevel 7
Badge +14

Hi @SLodge_IW

Thanks for the update, I would guess that removing those older versions will be ok, but I’ve asked Development internally here at Commvault for some confirmation just to be sure.

I’ll let you know.

Thanks,

Stuart

Userlevel 7
Badge +23

Moved @JustSomeGuy ‘s posts to its own topic:

 

Badge

We use Qualys and i’m dealing with the same vulnerability. Opened a case with support and was told to simply stop Tomcat and IIS services, uninstall .NET Core 2.1 and then install 3.1, then start services back up. 

Did this and services started up successfully but webconsole won’t load and gives error: 

“It looks like something went wrong! This service is currently unavailable. Please contact your administrator.”

I installed .NET Core 2.1 again and it started working. I’m running CV version 11.20.55

 

 

Badge +2

@Dan M - sounds similar to the issue I was having.  From earlier in this post it seems like you need to be on 11.24 for the 3.1 support.  Could be wrong though.

Userlevel 7
Badge +23

Hi @Dan M , can you share the case number with me?  Are they still helping you work through the case?  Might end up moving this to its own thread, though I want to analyze this a bit, first.

Reply