.NET CVE Questions

[pmichelli]

Hello team.

If this warrants a SR, please let me know and I will open one. My security team has identified some CVE in .NET on our VeeamOne server. I just need some clarification.
Per your KB, it says the latest builds require .NET 8.0 . We have Microsoft ASP.NET Core 8.0.10 Shared Framework installed but I am also seeing that we have also installed the following :

Microsoft .NET Runtime 6.0.14 (x64)
Microsoft ASP.NET Core 6.0.24 Shared Framework

I recall the last time my sec team asked me to upgrade the .NET , it broke the entire app and I had to restore from backup.

Here is the link to the CVE (it shows 8.0.10 is ok) , it's complaining about the 6.x versions. Can I safely remove these?

https://www.cve.org/CVERecord?id=CVE-2024-43485
https://helpcenter.veeam.com/docs/one/d ... ml?ver=120

Thanks as always !

[jorgedlcruz]

Hello,
What version are you currently running? We upgraded the .NET 8.0.7 as per https://helpcenter.veeam.com/docs/one/d ... ml?ver=120

If you come from an upgrade, that might explain why the old versions are still there. I would create an snapshot/backup, and remove them without any problem.

If you want more peace of mind, please open a SR, so the team can assess a bit better, look at the logs, etc.

Keep us posted!

[Parnassus]

Hi, have a read to this topic too (it's about .NET / ASP on VBR but Veem ONE was discussed too).

Our Veeam ONE 12.3.0 is currently running (only) with .NET 8.0.14 components, which are latest (and a Security Fix):

• Microsoft ASP.NET Core Runtime 8.0.14
  Microsoft .NET Desktop Runtime 8.0.14

Cheers, Davide.

[jorgedlcruz]

Thank you for the update Davide,
Yes, I think it if safe to remove those components if running latest versions of our products, because we addressed it already.

I would recommend the usual snapshot/backup before doing so, and have access to our support portal just in case. But everything should be fine.

Thanks for the information