According to Microsoft I am told that the reason I still see .NET vulnerabilities on the Qualys Scan (even though I have installed the latest Cumulative Patch bundle is because Qualys can not recognize the cumulative patches; it is looking for the individual patches it specifically wants installed?
According to Microsoft, if Qualys says we need to install the following:
- .NET Security Update July 2017
- .NET Security Update June 2018
- .NET Security Update May 2018
and then we install the .NET Cumulative Security Update (which included all Security Updates going back to October of 2016) I will have patched the actual Vulnerability but Qualys will still report the server vulnerable because we did not install the individually recommended Security Updates.
Is this true and how can I get around this?