We did not release any security updates for SharePoint (2010, 2013, 2016, 2019) or Office Online Server in December.
More information:
We did not release any security updates for SharePoint (2010, 2013, 2016, 2019) or Office Online Server in December.
More information:
Permalink
Hey Stefan,
is this not a fix for SharePoint? https://support.microsoft.com/de-de/help/4484177/december-10-2019-update-for-sharepoint-server-2019-kb4484177
Thx
Peter
Permalink
Good morning, Stefan
I see that there is an update for Office Online Server at the following, is this valid? https://support.microsoft.com/en-us/help/4484175/december-10-2019-update-for-office-online-server-kb4484175
Thank you.
Daniel
Permalink
Hi Daniel,
yes it is valid but it is not a security fix.
Cheers,
Stefan
Permalink
What about these https://support.microsoft.com/en-us/help/4532624/december-2019-updates-for-microsoft-office
t abou
Permalink
Hi Travis,
this articles includes security and non-security updates for Office and SharePoint. As you can see none of the SharePoint fixes is a security fix.
Cheers,
Stefan
Permalink
Hello Stefan, Yesterday there was a security bulletin published: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1491
It stands for SharePoint 2013 SP1, SharePoint 2010 SP2, SharePoint 2016 and SharePoint 2019
Permalink
Hi Greg,
thats correct – the bulletin was released yesterday.
But if you check the KB articles for the patches you will see that the fixes were all release already in November 2019 PU.
Cheers,
Stefan
Permalink
Hi Stefan,
thanks for clearing up/confirming how this works.
So if my SP Farm is running CU 2019-11 or higher, I am not affected, and the heise article is incorrect as this is not an “out of the ordinary update” but rather an “out of the ordinary message about an old update”, correct? And https://www.heise.de/security/meldung/Microsoft-patcht-SharePoint-Server-ausser-der-Reihe-4619677.html is technically incorrect?
Thanks for doing the good work and Merry Christmas 🙂
Adrian
Permalink
Hi Adrian,
please have a look at the Description in the “Revisions” section of the CVE:
“Information published. This CVE has been added to this month’s Security Updates. This is an informational change only. Customers who have successfully installed the applicable updates do not need to take any further action.”
As you can see no binaries have been published – only an informational change.
There is already a comment on the heise article from a user which pointed out that the fixes are for November and that this is most likely an issue already fixed a while back.
Nothing to add here from my side.
Cheers,
Stefan
Permalink
Hi Stefan,
Our security department sent me this new vulnerability that was released Yesterday (12/17/19) https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1491
Can you confirm the following
I will need to run the config wizard after I install the patch
There is no minimum current build that my SharePoint farm (2013 – 15.0.4995.1000) needs to be on before I can install this patch.
Thanks for your time
Permalink
Hi Dan,
the config wizzard is required after ALL SharePoint fixes. No exceptions.
Technically only SP1 is required to install the fix but from a support perspective your system is unsupported if you did not install at least April 2018 CU before as older patch levels are no longer supported.
See here for details:
https://blog.stefan-gossner.com/2017/12/13/updated-product-servicing-policy-for-sharepoint-2013/
Cheers,
Stefan
Permalink
That is great to know. Now a quick follow up question. If my security department cant wait until this patch is in the January CU and I need to install the Dec 2019 CU and this patch can I install them both and then run the config wizard after or do I have to install them separately and then run the config wizard twice?
Permalink
Hi Dan,
if you check the KB articles you will notice that these fixes were all released in November PU already. Only the security bulletin was released this week.
So if you install December CU the November PU fixes are included.
Second: you can install as many patches as you like and only run the config wizard once at the end.
Cheers,
Stefan
Permalink
I really appreciate the help on this. You saved me alot of time….
Permalink
Hi Stefan, SharePoint Server 2013 is not affected, only SharePoint Foundation 2013, so a SharePoint Server 2013 Farm doesn’t need to be fixed, right?
Permalink
Hi Daniel,
that’s not correct. SharePoint foundation is an integral part of SharePoint server. All SharePoint foundation security fixes apply also to SharePoint server.
Cheers,
Stefan
Permalink
Hi Stefan, We applied the November CU already in all our farms (SP 2013,2016 & 2019). The KB’s mentioned in the below article points to the November CU only. What’s the action we need to take now ?
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1491
Permalink
Hi Karthikeyan,
none. As you can read for yourself in the “Revisions” section of the CVE:
“…This is an informational change only. Customers who have successfully installed the applicable updates do not need to take any further action…”
Cheers,
Stefan
Permalink
Hi Stefan,
For this CVE-2019-1491 vulnerability.
https://www.us-cert.gov/ncas/current-activity/2019/12/18/microsoft-releases-information-cve-2019-1491
If we apply SharePoint 2016 November 2019 CU (KB 4484147), then it should cover the this vulnerability
Can you confirm?
Thanks as always
Henry
Permalink
Hi Henry,
that is NOT correct. You need to apply the language independent fix from November CU for this specific issue:
https://support.microsoft.com/help/4484143
You can see this info in the in the CVE article:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1491
Thanks,
Stefan
Permalink
Thanks Stefan as always.
Permalink
Hi Stefan, what happened to SharePoint 2010 CU updates after December? Nothing for Jan and Feb. Has Microsoft already pulled the plug?
Permalink
Hi Oday,
we can only fix something if something is broken.
Cheers,
Stefan