bseklecki_ge
Member
All:
I've been chasing down some vulnerabilities found by Nessus scans of my NTLite resultant image.
Nessus Plugins 139598 & 138464 keep firing, complaining that the version of "system.web.dll" in [C:\windows\microsoft.net\platform\v2.xxx\] is not patched, and the remediation recommendation from Nessus/Tenable is:
- Apply the October 2020 Cumulative Update for DotNet3.5+4.8
(KB4578969 on WinSvr2016 v1607 (Or on Windows 10 v1809: KB4569750 + KB5004332)
I did manually confirm that my resulting NTLite image has the old DLL version, despite building DotNet3.5+4.8 CU from August or July 2021 (KB4578969)
(And of course, plus the latest SSU+OS CU)
So I'm yet at a loss to explain it, I'm going to run through the application process manually and watch for changes to system.web.dll at each step of the process.
But my question was going to be:
I'm adding DotNet3.5 optional feature via NTLite
Is it possible that NTLite is applying KBs before adding DotNet3.5 optional feature?
(And thus, everything from DotNet3.5 is not receiving the KB updates?)
Seems like a thin theory, I'll delete this post if I find out this problem was user error >:}
----------
Nessus Plugin: 139598
https://www.tenable.com/plugins/nessus/139598
CVE-2020-1476
Nessus Plugin: 138464
CVE-2020-1147
I've been chasing down some vulnerabilities found by Nessus scans of my NTLite resultant image.
Nessus Plugins 139598 & 138464 keep firing, complaining that the version of "system.web.dll" in [C:\windows\microsoft.net\platform\v2.xxx\] is not patched, and the remediation recommendation from Nessus/Tenable is:
- Apply the October 2020 Cumulative Update for DotNet3.5+4.8
(KB4578969 on WinSvr2016 v1607 (Or on Windows 10 v1809: KB4569750 + KB5004332)
I did manually confirm that my resulting NTLite image has the old DLL version, despite building DotNet3.5+4.8 CU from August or July 2021 (KB4578969)
(And of course, plus the latest SSU+OS CU)
So I'm yet at a loss to explain it, I'm going to run through the application process manually and watch for changes to system.web.dll at each step of the process.
But my question was going to be:
I'm adding DotNet3.5 optional feature via NTLite
Is it possible that NTLite is applying KBs before adding DotNet3.5 optional feature?
(And thus, everything from DotNet3.5 is not receiving the KB updates?)
Seems like a thin theory, I'll delete this post if I find out this problem was user error >:}
----------
Nessus Plugin: 139598
https://www.tenable.com/plugins/nessus/139598
CVE-2020-1476
Nessus Plugin: 138464
Security Updates for Microsoft .NET Framework (July 2020)
The Microsoft .NET Framework installation on the remote host is missing a security update. (Nessus Plugin ID 138464)
www.tenable.com