Skip to main content
commvault.com commvault.com
Solved

Vulnerability for Microsoft .Net Core 3.1

  • January 30, 2023
  • 5 replies
  • 2585 views
K
Byte

Hello Commvault Community!

 

Vulnerability topic for .Net Core - came back several times, but I want to make sure about this topic.

We have an environment that has already gone through many updates of various FRs and there are remnants of previous .Net Core versions. (currently the environment runs on FR24). The documentation says that version 4.6 is required, so can we remove all packages below on all CommServes (Active and Passiv) and install for version 4.6?

Client: xyz1

QID-106105
EOL/Obsolete Software: Microsoft .Net Core Version 3.1 Detected

Client: xyz1

QID-38794
Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)

Client: xyz2

QID-106105
EOL/Obsolete Software: Microsoft .Net Core Version 3.1 Detected

TLSv1.1 is supported

Versions:

- OS - Windows 2016
- SQL Server - 13.0.5893.48
- Commvault environment version - 11.24.48

".NET Core 3.1 End of life
.NET Core 3.1 will reach end of life on December 13, 2022, as described in .NET Releases and per .NET Release Policies. After that time, .NET Core 3.1 patch updates will no longer be provided. We recommend that you move any .NET Core 3.1 applications and environments to .NET 6.0. It'll be an easy upgrade in most cases. The .NET Releases page is the best place to look for release lifecycle information. Knowing key dates helps you make informed decisions about when to upgrade or make other changes to your software and computing environment."

 

Thanks for help & Regards,
Kamil

Best answer by Orazan

Good morning.  Can you please tell me if the information in this post is helpful?

 

 

View original
Did this answer your question?

5 replies

O
Vaulter
Forum|alt.badge.img+15
  • OrazanVaulter
  • Vaulter
  • 630 replies
  • January 30, 2023

Good afternoon.  If you would like to move to .NET 4.6 you will have to update to CPR2022E (FR28).  You can see the list of third party installations for CPR2022E here:

https://documentation.commvault.com/2023/expert/121377_third_party_applications_installed_by_commvault_installer.html

 

 

K
1 person likes this
  • K
    Kamil
K
Byte
  • Kamil
  • Author
  • 143 replies
  • January 31, 2023

Hi @Orazan 

Yes, but the Customer does not currently want to upgrade to FR28, but wants to stay on FR24 and remove the vulnerability for .NET Core 3.1.

When I entered the same article you send but for SP24 we can see the same versions for Third Party Applications. Can someone confirm that for SP24 it will be possible to install .NET 4.6 or higher?
 

https://documentation.commvault.com/11.24/expert/121377_third_party_applications_installed_by_commvault_installer.html
 

My main question was whether being on SP24 we can safely remove "old" versions of .NET - the vulnerability was found for .NET 3.1.

Thanks,
Kamil

O
Vaulter
Forum|alt.badge.img+15
  • OrazanVaulter
  • Vaulter
  • 630 replies
  • January 31, 2023

On Feature Release 24, some of the earlier versions of .NET are required.  That was the reason for the recommendation to move to FR28.

K
1 person likes this
  • K
    Kamil
K
Byte
  • Kamil
  • Author
  • 143 replies
  • February 2, 2023

Hi @Orazan 

 

Vulnerability issue for .NET, we've clarified. What about the TLS vulnerability then? Can you still help me on this topic?

Client: xyz1

QID-38794
Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)

 

O
Vaulter
Forum|alt.badge.img+15
  • OrazanVaulter
  • Vaulter
  • 630 replies
  • Answer
  • February 3, 2023

Good morning.  Can you please tell me if the information in this post is helpful?

 

 

Reply


Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings