Join Log in
Score:0
avatar Server

Issues updating .NET Core - what patch am I supposed to use?

us flag
The ITea Guy

For a while now our vulnerability scanner has been detecting out of date .NET components on one of our servers and a management workstation; this is related to some software we recently deployed on it. However, none of my attempts to fix the issue make this go away, including the link the finding itself that allegedly leads to the solution.

Finding claims this:

    Path              : C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.22\
      Installed version : 3.1.22
      Fixed version     : 3.1.30

Apparently this is quite some months behind even our installation date, which is vexing. The link to the solution given is this:

https://dotnet.microsoft.com/en-us/download/dotnet/3.1

I last attempted a fix when Version 3.1.29 was still the most recent, and none of the obvious patches work. Even trying to install every x64 version on that page gets me nowhere (indeed one of the x64 installers actually introduces a vulnerability in the x86 filepath). I have pushed a KB associated with this in our WSUS - KB5019349 - but even that just gets stuck with " Error 0x80244019".

I suspect there's more to this update than I am understanding. How on earth am I expected to keep this file updated, where do I get the real update, and how is it supposed to deploy?

473
1 + 1
cn flag
Greg Askew
If you have 3.1.30 installed, and any applications are tested and configured to use that, then the action would be to remove the vulnerable version 3.1.22. https://learn.microsoft.com/en-us/dotnet/core/additional-tools/uninstall-tool?tabs=windows . Also note that .NET Core 3.1 is EOL on December 13, 2022. So any and all 3.1 versions will be flagged as vulnerable after that date. https://devblogs.microsoft.com/dotnet/october-2022-updates/ https://devblogs.microsoft.com/dotnet/net-core-3-1-will-reach-end-of-support-on-december-13-2022/
0
Reply
Score:1
avatar Server
us flag
The ITea Guy

I was able to patch this using the Visual Studio Installer application; by running an update through there for the installed application, the file was updated and the associated vulnerability remediated.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.