Unable to remove .NET version from app service

[gomezj5]

According to a Microsoft security advisory (CVE-2024-30046)
https://github.com/dotnet/announcements/issues/308

"Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability."

NET7 must be updated in order to comply but what if the the SDK is installed on an app service in Azure?
You can't login like is a VM and just uninstall, you also cannot remove the file manually in kudu because they are protected.

I have an app service that was running NET7 and upgraded to NET9 but the NET7 files still exist and pose a security risk according to CVE-2024-30046

Is there a way to properly comply with the advisory?

[huoyaoyuan]

The vulnerable runtime must be actively used to become a security risk.

Cloud providers like Azure is responsible to keep the framework they provide up-to-date. According to the CVE link, the fixed version is 7.0.19, which was released half a year ago. Azure should has already updated their provided version.