...
BugZero found this defect 607 days ago.
This article documents how to upgrade the .NET 3.1.x and ASP.NET 3.1.x runtime to the latest version when using Veeam ONE 12 GA (build 12.0.0.2498) or lower. For a list of all versions and build numbers of Veeam ONE, refer to: KB4357 Veeam ONE versions 12 GA (build 12.0.0.2498) or lower utilized .NET and ASP.NET 3.1.x runtime components for multiple purposes (e.g., Reporting, Web Services, and more). The December 2022 Microsoft Security Updates comes with a remote code execution vulnerability fix for NET Core 3.1, .NET 6.0, and .NET 7.0. Those packages should be updated to maintain security.
Software Dependencies If you have Veeam ONE 12 GA (build 12.0.0.2498) or lower installed, do not uninstall .NET Core 3.1.x or ASP.NET 3.1.x. Uninstalling them will cause issues with those older versions of Veeam ONE. Even if newer versions of .NET (e.g., 6.x or 7.x) are installed, those older versions of Veeam ONE still require .NET Core 3.1.x and ASP.NET 3.1.x.
Microsoft Security Advisory CVE-2022-41089 | .NET Remote Code Execution Vulnerability Microsoft DevBlog: .NET December 2022 Updates – .NET 7.0.1, .NET 6.0.12, .NET Core 3.1.32 .NET Core 3.1 Known Issues .NET Framework Remote Code Execution Vulnerability - CVE-2022-41089