SharePoint security fixes released with January 2020 PU and offered through Microsoft Update

As I received some feedback that I should also add the Urls to the KB articles of the different security fixes I added this information to my blog post.

SharePoint 2010 Suite:

  • None

SharePoint 2013 Suite:

  • None

SharePoint 2016 Suite:

  • None

SharePoint 2019 Suite:

  • None

Office Online Server:

  • KB 4484223 – Office Online Server
See the Security Update Guide below for more details about the relevant fixes:

More information:

18 Comments


  1. Hello Stephan,
    Are you aware of the release of this month’s security fixes for SharePoint 2013 SP1?
    i run a check with my WSUS and for now i dont see anything 🙁

    Thank you!

    Reply

    1. Hi Roberto,
      as you can see in the list above no security fixes were released for SharePoint 2013.
      cheers,
      Stefan

      Reply

      1. Thank you Stefan! Have a nice evening

        Reply

        1. Hi Gene,
          this blog post communicates Security fixes released in January 2020. The other blog post communicates all fixes released in January 2020. We only released non-security fixes in January 2020.

          Please let me know if you have further questions.

          Cheers,
          Stefan

          Reply

  2. Hi Stefan, and any other readers out there!

    I would need some advice on how to best handle SharePoint 2016 updates via WSUS. I’m also curious about how others do it.

    Is it best practice – or even a good idea? – to deploy SharePoint updates via WSUS? I am a bit hesitant, given that you still need to run the Config Wizard etc.

    And another challenge is that WSUS often delivers only 50% of a given SP CU. For example, in Nov 2019 only KB4484143 was distributed (#1) via WSUS but as you listed (#2), a complete Nov 2019 CU installation requires 2 fixes, so KB4484147 will not be installed via WSUS.

    I’m not super-excited about the prospect of having Windows server admins automatically installing 50% of a CU via WSUS, leaving me with my farm binaries in a “messy” state that I don’t feel 100% in control of. I would need to double-check what was installed on all servers and then manually install the 2nd CU KB, run the Config Wizard, preferably install using a patch script that stops services, pause the Search first; you know the drill.

    To be more in control, I would rather tell Windows server admins to not publish anything SharePoint-related at all via WSUS, and to let me manually install SharePoint CU:s once a month. I’d install both KB:s at the same time, the usual way. And by keeping Windows server patching and SP CU installation separate, it will be easier to troubleshoot SharePoint if something breaks.

    Grateful for any thoughts!

    #1 Security fixes via Microsoft Update in Nov 2019
    https://blog.stefan-gossner.com/2019/11/12/sharepoint-security-fixes-released-with-november-2019-pu-and-offered-through-microsoft-update/#comment-7812

    #2 SharePoint 2016 – Nov 2019 CU
    https://blog.stefan-gossner.com/2019/11/12/november-2019-cu-for-sharepoint-server-2016-is-available-for-download/

    Reply

    1. Hi Will,
      I would strongly discourage automatic update of productive SharePoint servers. There are several reasons including the following:
      1) As you cannot uninstall SharePoint patches it is recommended to evaluate all SharePoint fixes in a test environment which resembles the production environment to ensure that the fix does not produce negative side effects for your specific configuration.
      2) To enable zero downtime patching servers in the farm needs to be patched in a specific sequence which also involves steps to reconfigure that load balancer several times during the patching process.
      3) The configuration wizard needs to be run after all machines in the farm have been updated
      Cheers,
      Stefan

      Reply

      1. Thanks for your reply Stefan! And excellent points, I strongly agree.

        To be honest, I don’t understand why Microsoft publishes SharePoint patches via automatic channels/WSUS to begin with, since the product is so clearly not suited at all for it. I’m thinking that it’s just to be able to say that “we have automatic distribution channels for security fixes for all our products”, even though in practice it’s not feasible at all for some of them.

        Wouldn’t you also say that it’s very unfortunate that WSUS often publishes just 50% of CU:s? I just want to get some confirmation that I’m not crazy thinking that… Sure, automatically publishing fixes for SharePoint is not a good idea, but I’d say it’s even worse to offer just half of what’s needed.

        Thank you so much for all your helpful input. SharePoint Server-land would be a lot harder to navigate without your expertise! (I’d put a smiley here, but won’t as they become gigantic here for some reason.)

        Reply

        1. Hi Will,
          WSUS will only ships packages with security fixes. Those packages which do not carry security fixes are not provided. This is by design and expected.
          Installing only the security fixes is supported but not recommended.
          Cheers,
          Stefan

          Reply

          1. …and therein lies the core of the conflict: WSUS only ships packages with security fixes – but plain security fixes does not exist in SharePoint and never existed. And add to that all the complexity of SharePoint and all the manual steps needed: It’s a mystery that WSUS carries SharePoint updates!

            Thanks again Stefan!


  3. A bit confused, we are on SharePoint 2016 November CU (deployed both files manually back in early December). NESSUS detects a September KB missing. I confirmed, I don’t see the KB numbers in CA.

    Is this a false positive or perhaps NESSUS/Microsoft doesn’t have it identified as superseded?
    Should we install each month or just the latest?
    Do these become superseded in a future CU?

    KB4475590 – Description of the security update for SharePoint Enterprise Server 2016: September 10, 2019
    https://support.microsoft.com/en-us/help/4475590/security-update-for-sharepoint-enterprise-server-2016

    KB4475594 – Description of the security update for SharePoint Enterprise Server 2016: September 10, 2019
    https://support.microsoft.com/en-us/help/4475594/security-update-for-sharepoint-server-2016

    Could Microsoft make this any more confusing (this is rhetorical, NO!, Microsoft don’t get any ideas).

    Reply

    1. Hi Matt,
      I do not know NESSUS and cannot comment on what it does to detect required patches but if you successfully installed both patches (language dependent and language independent) then your system is fully patched as SharePoint patches are cumulative.

      Cumulative in this context means that
      – the language independent fix for November CU includes all language independent patches since RTM and
      – the language dependent fix for November CU includes all language dependent patches since RTM

      Cheers,
      Stefan

      Reply

      1. Thank you, that is my understanding as well, was just caught by surprise when the KBs were not found and detected as missing. Now I just have to provide a answer to Security Team and hope they accept the conclusion as a false positive.

        For the record, NESSUS is a common security suit for vulnerability scanning, https://www.tenable.com/products/nessus.

        Reply

  4. You’re not the only one having, issues Matt.

    Looking at the raw plugin info, it looks different than other month’s plugins.
    Raw Sept plugin: https://vulners.com/nessus/SMB_NT_MS19_SEP_OFFICE_SHAREPOINT.NASL

    SEPT has some things for the detection of KB 4475594 commented out for some reason. (I don’t fully understand how these are detecting though, so take this with a grain of salt.)

    Here’s August, it doesn’t have these sections commented out:
    https://vulners.com/nessus/SMB_NT_MS19_AUG_OFFICE_SHAREPOINT.NASL

    Reply

  5. Stefan,
    This KB4484223 is intended for which version of Office Online Server? I’m trying to determine if it is relevant for our SharePoint 2016 on -premise farm, or if, as the file name (wacserver2019-kb4484223-fullfile-x64-glb.exe) indicates “2019”, this is relevant only to a 2019 farm?
    Thank you, Suzanne

    Reply

    1. Hi Suzanne,

      there is only one version of Office Online Server.
      Office Online Server works with both SharePoint Server 2016 and 2019.

      Cheers,
      Stefan

      Reply

      1. It would be helpful if you could break Office Online Server into a separate post. I forget to look at SharePoint 2019’s post to find it and also it is a separate product.

        Reply

        1. Ok, good idea. Will do it going forward.

          Reply

Leave a Reply to Stefan Goßner Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.