Vulnerability in .NET core 3.1

  • 12 January 2022
  • 9 comments
  • 1095 views

Userlevel 4
Badge +1

Hi 

Just to inform that there is a vulnerability in the .NET core runtime.
This is installed for the Veeam AWS, Azure & Google plug-ins.
reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43877

updates: https://dotnet.microsoft.com/en-us/download/dotnet/3.1

Please update your Veeam servers.

 

Regards


9 comments

Userlevel 7
Badge +9

This vulnerability was released on Dec 14, 2021. Is there a new one? https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-43007/Microsoft-.net-Core.html 

Userlevel 4
Badge +1

This vulnerability was released on Dec 14, 2021. Is there a new one? https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-43007/Microsoft-.net-Core.html 

No but didn’t found it mentioned..

Userlevel 7
Badge +14

Thanks for the hint @vergoted! I haven't heard about this one before. If I get it right, you would ned local access to the backup server in order to exploit it?

Userlevel 7
Badge +13

This one?
https://www.cvedetails.com/cve/CVE-2021-34485/

Has a very low score… but thanks for sharing! :)

Userlevel 7
Badge +14

Thank you for taking the time to share.

Userlevel 4
Badge +1

This one?
https://www.cvedetails.com/cve/CVE-2021-34485/

Has a very low score… but thanks for sharing! :)

This was the CVE I mentioned.
https://www.cvedetails.com/cve/CVE-2021-43877/ 
is a bit higher CVSS Score, but still low. (4.6)

Userlevel 6
Badge +1

Don’t know about other companies, but here everything .NET 3.1.x related was wiped from all server and only .NET 6.x is now allowed. .NET 3.1.x is EOL since 12/22, it was a LTS release released 3 years ago. New LTS releases 6.x and 8.x are available. 

The dependency to .NET 3.1.x broke Veeam One Reporter and VB4Azure plugin. And even worse, Veeam One 12 still has the dependency to 3.1.x. 

This really leaves me wondering how this could either be missed or why it was silently be accepted be Veeam. 

 

 

 

 

Userlevel 7
Badge +9

Don’t know about other companies, but here everything .NET 3.1.x related was wiped from all server and only .NET 6.x is now allowed. .NET 3.1.x is EOL since 12/22, it was a LTS release released 3 years ago. New LTS releases 6.x and 8.x are available. 

The dependency to .NET 3.1.x broke Veeam One Reporter and VB4Azure plugin. And even worse, Veeam One 12 still has the dependency to 3.1.x. 

This really leaves me wondering how this could either be missed or why it was silently be accepted be Veeam. 

 

 

 

 

I actually had this concern from my comment on this post. Kindly take a look at @marcofabbri input, that might help…

 

Userlevel 6
Badge +1

I know how to update to latest 3.1.x. This does not help as 3.1.x is simply EOL and considered evil.

Comment