Package needs to be removed

Question

We have an Azure DevOps server 2020 installed on our on premises servers. The app tier is installed on two different servers. The InfoSec team has recommended to remove "Microsoft Visual C++ 2010 Redistributable Package" as this has been rated as a High vulnerability. I found that this package was installed when we upgraded the DevOps server from 2019 to 2020 during the upgrade. My question is, is there any impact by removing this package from both application servers?

We haven't tried it as it's a production enviornment, I need to get the feedback from Microsoft support team first before doing though.

Answer 1

If you remove the redist package, you will see an error on starting the Azure Devops services around starting up the web endpoints for Azure Devops.

If you inspect the Event Viewer, the error appears to be a dependency for SharpSVN.dll, which requires the VC++ 2010 redist. The error is registered under the w3wp process and is register as an Asp.Net warning.

Exception type: ConfigurationErrorsException 
Exception message: Could not load file or assembly 'SharpSvn.DLL' or one of its dependencies. The specified module could not be found.
   at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase)
   at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, Boolean checkAptcaBit)
   at System.Web.Configuration.Common.ModulesEntry.SecureGetType(String typeName, String propertyName, ConfigurationElement configElement)
   at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement)
   at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList)
   at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext)
   at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
   at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
   at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

I've seen people talking about removing SharpSvn.dll, but I can't see how that will enable the web endpoints to operate as they seemingly require the dll.

At the moment, I think we're reliant on Microsoft patching DevOps 2020