Below are the security fixes for the SharePoint OnPrem versions released this month.
SharePoint 2010 Suite:
- KB 4486708 – SharePoint Foundation 2010
- KB 4484531 – Excel Services for SharePoint Server 2010
- KB 4462175 – Excel Web App 2010
SharePoint 2013 Suite:
- KB 4486694 – SharePoint Foundation 2013 (core component)
- KB 4486687 – Excel Services for SharePoint Server 2013
- KB 4486689 – Office Web Apps Server 2013
SharePoint 2016 Suite:
- KB 4486677 – SharePoint Server 2016 (language independent)
SharePoint 2019 Suite:
- KB 4486676 – SharePoint Server 2019 (language independent)
Office Online Server:
- KB 4486674 – Office Online Server
See the Security Update Guide below for more details about the relevant fixes:
More information:
Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.
Permalink
Hi Stefan! I see you left off KB4484453 for Server 2019. Was that intentional?
Permalink
disregard. I had a bad number on my list
Permalink
The September Issue – ‘after installing September 2020 CU and PU custom pages and controls fail to render’ is fix include in Oct Patches
Permalink
Hi Prasad,
I assume this is a question?
In September a security fix tightend the security requirements for code integrated with SharePoint.
It now requires to explictely mark such pages and controls as enabled.
This is not something that will be reverted – that is the new expected behavior.
Cheers,
Stefan
Permalink
Hi,
Does CVE-2020-16952 (in KB 4486694) vulnerability also apply to Sharepoint 2013 Enterprise Server?
Should this patch be applied to 2013 Enterprise Server in that case?
Permalink
Hi Erik,
all SharePoint Foundation security fixes apply also to SharePoint Server as SharePoint Foundation is part of SharePoint Server.
With other words: YES.
Cheers,
Stefan
Permalink
Hi Stefan,
I did not install the September CU, but directly the October CU. Now I have this error on search pages “Unknown server tag ‘SharePoint:BrowseStyleBlock’.”
Application error when access /s/Pages/default.aspx, Error=Unknown server tag ‘SharePoint:BrowseStyleBlock’.
at System.Web.UI.TagPrefixTagNameToTypeMapper.System.Web.UI.ITagNameToTypeMapper.GetControlType(String tagName, IDictionary attribs)
at System.Web.UI.MainTagNameToTypeMapper.GetControlType(String tagName, IDictionary attribs, Boolean fAllowHtmlTags)
at System.Web.UI.RootBuilder.GetChildControlType(String tagName, IDictionary attribs)
at System.Web.UI.ControlBuilder.CreateChildBuilder(String filter, String tagName, IDictionary attribs, TemplateParser parser, ControlBuilder parentBuilder, String id, Int32 line, VirtualPath virtualPath, Type& childType, Boolean defaultProperty)
at System.Web.UI.TemplateParser.ProcessBeginTag(Match match, String inputText)
at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding)
I saw this mentioned in your September CU post comments, where you said this had probably nothing to do with a blocked page or control. Do you have any idea what this could be?
Thank you and best regards,
Luzi
Permalink
Hi Luzi,
please install the complete October CU and verify if the issue is gone.
There might be a dependency between the security fix binaries and the non-security fixes which causes this.
Cheers,
Stefan
Permalink
I have installed the complete October CU and PSCOFIG did not throw any errors. But thank you for your feedback.
Permalink
In this case you should open a support case with Microsoft to get this analyzed.
Permalink
hi stefan,
you replied to erik on 14th oktober that i (and he) have to install this SharePoint Foundation security fix although we run sharepoint 2013 Enterprise Server sp1. i will do that then but do i have to install SharePoint Foundation security fixes as well if there are also sharepoint 2013 Enterprise Server fixes avaiable?? (like last month )
greet Bauke
Permalink
Hi Bauke,
SharePoint foundation security fixes always have to be applied on SharePoint server.
SharePoint foundation is one of many components of SharePoint server which can be patched.
Cheers,
Stefan
Permalink
On SharePoint 2016 I am getting this: VERSION LOG (GET): Upgrade object too new. Current versions: (build version = 16.0.5071.1000, schema version = 16.1.317.0). Target versions: (build version = 16.0.4966.1000, schema version = 16.1.316.0). (EventID:ajyxu), any hint?
Permalink
Hi Haaron,
It looks as if you are trying to run PSConfig on a machine which has February 2020 CU installed (16.0.4966.1000) while the databases have already been upgraded to October 2020 CU (16.0.5071.1000).
Cheers,
Stefan
Permalink
Hi,
I just want to make sure,
configuration wizard is not mentioned in the installation process for the security fixes, it means that no conf. wiz. or upgrade DB is required, right?
thanks!
Permalink
Hi David,
this assumption is wrong.
There is not a single SharePoint fix which would not require the config wizard.
With other words: you need to run the config wizard also after installing SharePoint security fixes.
Cheers,
Stefan
Permalink
ok, thanks.
Permalink
Hi Stefan, Gather this is spelling mistake?
SharePoint 2013 Suite:
KB 4486694 – SharePoint Foundation 2013 (core component)
KB 4486687 – Excel Services for SharePoint 2013 ——————- Meant to SharePoint Server 2013?
KB 4486689 – Office Web Apps Server 2013
Permalink
It was actually an abbreviation – but you are right, SharePoint Server 2013 is more correct.
I updated it.
Permalink
Hi Stefan,
When it comes to SharePoint 2013, regarding this statement from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-16952 I have two questions::
“Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.”
1. I guess that this can happen only if you let the users to install their own apps (either from SharePoint app store or their own source), or not ?
2. Can the SharePoint farm be affected if they upload an app file to any document library (not app catalog)?
Thanks,
Lucian
Permalink
Hi Lucian,
unfortunately we are not allowed to discuss scecurity vulnerabilities and fixes.
We can only point to the official documentation which you have quoted above.
Cheers,
Stefan
Permalink
Hi Stefan,
We are experiencing an issue with the standard quick navigation bar on the left hand side after the complete October CU.
The menu stops rendering after a few days regardless of browser, clearing cache, resetting Internet Explorer and the like doesn’t resolve the issue. If a user uses a different client or browser on the same client, the menu renders for a some days until the same error occurs. Using the problematic browser in icoqnito doesn’t resolve the issue either.
Do you have any resolution to this weird behaviour?
Is this related to this: https://blog.stefan-gossner.com/2020/09/21/fix-regression-in-september-2020-cu-for-sharepoint-2019-affects-sites-with-modern-ui/
Permalink
Hi Christian,
I haven’t heard about this issue.
If you need assistance to get this isolated I would recommend to open a support ticket with Microsoft.
Cheers,
Stefan
Permalink
Hi Stefan, I am running a SharePoint 2010 Single-Server. After installing KB 4484391 the Server always get stuck after 2 days. I tried to restart DB Service, SharePoint Services and App-Pools but only a restart of the Server brings SharePoint back to life… Is there a known issue, which can be solved by configuration?
Many thanks in advance
Dirk
Permalink
Hi Dirk,
this is not a known issue.
My recommendation would be to open a support case with Microsoft. Performance Monitor log and Dump analysis might be required to identify what is causing this.
Cheers,
Stefan
Permalink
Thank you, I will try.
Permalink
Hi Stefan,
After we install KB 4486677 to our SharePoint 2016 farm, we are not able to upload larger than 100MB files. The error that we get while we are trying to upload a file is
{“error”:{“code”:”-1, Microsoft.SharePoint.Client.InvalidClientQueryException”,”message”:{“lang”:”en-US”,”value”:”The expression \”web/getFileByServerRelativeUrl(@file)/FinishUpload(uploadId=guid’c67ffddb-6aee-4a34-b401-714694a89cca’,fileOffset=109051904,checkInComment=)\” is not valid.”}}}
We couldn’t find any solution to this problem. Do you have any idea?
Thanks,
Guray.
Permalink
Hi Guray,
this is a known issue in October 2020 CU.
Upload using the ribbon should work.
I would recommend to open a support case with Microsoft to ensure that you get latest info on a fix when it becomes available.
Cheers,
Stefan
Permalink
Hi Stefan,
Upload using the ribbon is also not working.
We opened a support case, thanks for your response.
Guray.
Permalink
Hi Guray,
in some scenarios it does not work. You are right. The reason is that in the not working cases the upload.aspx page is opened which is affected. the uploadex.aspx page will work.
The workaround in case that upload in ribbon does not work is to use http://site_url/_layouts/15/uploadex.aspx
Cheers,
Stefan
Permalink
Hi. Just tested and the Nov CU does not fix upload of larger than 100 MB file issues.
What we found is that Explorer works, Upload via Ribbon (and upload link) works if the library is set to “Allow management of content types? ” = yes with no other changes.
Drag and drop not working at all for files larger than 100 MB. Was really hoping since known issue the Nov CU would have fixed. Just hoping now Dec CU will fix or special fix comes out without a support case.
Regards,
Joe
Permalink
Hi Joe,
see here for details:
https://blog.stefan-gossner.com/2020/11/10/trending-issue-upload-of-files-larger-than-100-mb-fails-since-october-2020-cu/
Cheers,
Stefan
Permalink
Stefan,
After installing KB4486694 we are experiencing the following issue when trying to open search service application. This is happing in multiple search service applications in different farms…
Sorry, something went wrong
The base type ‘Microsoft.Office.Server.Search.Internal.UI.SearchAdministration’ is not allowed for this page. The type Microsoft.Office.Server.Search.Internal.UI.SearchAdministration, Microsoft.Office.Server.Search, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c could not be found or it is not registered as safe.
Permalink
We are currently running SharePoint 2013 SP1 April 2020 cu build 15.0.5189.1000
Permalink
Hi Rich,
sounds as if you did not run the SharePoint configuration wizard after installing the update.
The config wizard adds the required updates to the web.config to avoid this error.
Cheers,
Stefan
Permalink
Hi Stefan,
Post October CU, we are experiencing issues while opening site which are having custom webparts (Newsgator).
We skipped the Sept CU, because it had few issues.
Are those issues fixes applied in October CU?
The control type ‘NewsGator.CorpComm.Core.WebParts.AdminConsole.NavigationWebPart’ is not allowed on this page. The type NewsGator.CorpComm.Core.WebParts.AdminConsole.NavigationWebPart, NewsGator.CorpComm.Core, Version=1.0.0.0, Culture=neutral, PublicKeyToken=4ec65f4d77045582 could not be found or it is not registered as safe.
Permalink
Hi Ali,
there is a misunderstanding: the behavior is expected and by design per the changes done by the security fix.
You need to update the web.config and explicitly allow all custom controls now.
See here for details:
https://blog.stefan-gossner.com/2020/09/25/trending-issue-after-installing-september-2020-cu-and-pu-custom-pages-and-controls-fail-to-render/
Cheers,
Stefan