SharePoint security fixes released with October 2020 PU and offered through Microsoft Update

Below are the security fixes for the SharePoint OnPrem versions released this month.

SharePoint 2010 Suite:

  • KB 4486708 – SharePoint Foundation 2010
  • KB 4484531 – Excel Services for SharePoint Server 2010
  • KB 4462175 – Excel Web App 2010

SharePoint 2013 Suite:

  • KB 4486694 – SharePoint Foundation 2013 (core component)
  • KB 4486687 – Excel Services for SharePoint Server 2013
  • KB 4486689 – Office Web Apps Server 2013

SharePoint 2016 Suite:

  • KB 4486677 – SharePoint Server 2016 (language independent)

SharePoint 2019 Suite:

  • KB 4486676 – SharePoint Server 2019 (language independent)

Office Online Server:

  • KB 4486674 – Office Online Server
See the Security Update Guide below for more details about the relevant fixes:

More information:

Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.
 

26 Comments


  1. Hi Stefan! I see you left off KB4484453 for Server 2019. Was that intentional?

    Reply

    1. disregard. I had a bad number on my list

      Reply

  2. The September Issue – ‘after installing September 2020 CU and PU custom pages and controls fail to render’ is fix include in Oct Patches

    Reply

    1. Hi Prasad,
      I assume this is a question?
      In September a security fix tightend the security requirements for code integrated with SharePoint.
      It now requires to explictely mark such pages and controls as enabled.
      This is not something that will be reverted – that is the new expected behavior.
      Cheers,
      Stefan

      Reply

  3. Hi,

    Does CVE-2020-16952 (in KB 4486694) vulnerability also apply to Sharepoint 2013 Enterprise Server?
    Should this patch be applied to 2013 Enterprise Server in that case?

    Reply

    1. Hi Erik,
      all SharePoint Foundation security fixes apply also to SharePoint Server as SharePoint Foundation is part of SharePoint Server.
      With other words: YES.
      Cheers,
      Stefan

      Reply

  4. Hi Stefan,

    I did not install the September CU, but directly the October CU. Now I have this error on search pages “Unknown server tag ‘SharePoint:BrowseStyleBlock’.”

    Application error when access /s/Pages/default.aspx, Error=Unknown server tag ‘SharePoint:BrowseStyleBlock’.
    at System.Web.UI.TagPrefixTagNameToTypeMapper.System.Web.UI.ITagNameToTypeMapper.GetControlType(String tagName, IDictionary attribs)
    at System.Web.UI.MainTagNameToTypeMapper.GetControlType(String tagName, IDictionary attribs, Boolean fAllowHtmlTags)
    at System.Web.UI.RootBuilder.GetChildControlType(String tagName, IDictionary attribs)
    at System.Web.UI.ControlBuilder.CreateChildBuilder(String filter, String tagName, IDictionary attribs, TemplateParser parser, ControlBuilder parentBuilder, String id, Int32 line, VirtualPath virtualPath, Type& childType, Boolean defaultProperty)
    at System.Web.UI.TemplateParser.ProcessBeginTag(Match match, String inputText)

    at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding)

    I saw this mentioned in your September CU post comments, where you said this had probably nothing to do with a blocked page or control. Do you have any idea what this could be?

    Thank you and best regards,
    Luzi

    Reply

    1. Hi Luzi,
      please install the complete October CU and verify if the issue is gone.
      There might be a dependency between the security fix binaries and the non-security fixes which causes this.
      Cheers,
      Stefan

      Reply

      1. I have installed the complete October CU and PSCOFIG did not throw any errors. But thank you for your feedback.

        Reply

        1. In this case you should open a support case with Microsoft to get this analyzed.

          Reply

  5. hi stefan,
    you replied to erik on 14th oktober that i (and he) have to install this SharePoint Foundation security fix although we run sharepoint 2013 Enterprise Server sp1. i will do that then but do i have to install SharePoint Foundation security fixes as well if there are also sharepoint 2013 Enterprise Server fixes avaiable?? (like last month )

    greet Bauke

    Reply

    1. Hi Bauke,
      SharePoint foundation security fixes always have to be applied on SharePoint server.
      SharePoint foundation is one of many components of SharePoint server which can be patched.
      Cheers,
      Stefan

      Reply

  6. On SharePoint 2016 I am getting this: VERSION LOG (GET): Upgrade object too new. Current versions: (build version = 16.0.5071.1000, schema version = 16.1.317.0). Target versions: (build version = 16.0.4966.1000, schema version = 16.1.316.0). (EventID:ajyxu), any hint?

    Reply

    1. Hi Haaron,

      It looks as if you are trying to run PSConfig on a machine which has February 2020 CU installed (16.0.4966.1000) while the databases have already been upgraded to October 2020 CU (16.0.5071.1000).

      Cheers,
      Stefan

      Reply

  7. Hi,
    I just want to make sure,
    configuration wizard is not mentioned in the installation process for the security fixes, it means that no conf. wiz. or upgrade DB is required, right?

    thanks!

    Reply

    1. Hi David,
      this assumption is wrong.
      There is not a single SharePoint fix which would not require the config wizard.

      With other words: you need to run the config wizard also after installing SharePoint security fixes.

      Cheers,
      Stefan

      Reply

  8. Hi Stefan, Gather this is spelling mistake?

    SharePoint 2013 Suite:

    KB 4486694 – SharePoint Foundation 2013 (core component)
    KB 4486687 – Excel Services for SharePoint 2013 ——————- Meant to SharePoint Server 2013?
    KB 4486689 – Office Web Apps Server 2013

    Reply

    1. It was actually an abbreviation – but you are right, SharePoint Server 2013 is more correct.
      I updated it.

      Reply

  9. Hi Stefan,

    When it comes to SharePoint 2013, regarding this statement from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-16952 I have two questions::
    “Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.”
    1. I guess that this can happen only if you let the users to install their own apps (either from SharePoint app store or their own source), or not ?
    2. Can the SharePoint farm be affected if they upload an app file to any document library (not app catalog)?

    Thanks,
    Lucian

    Reply

    1. Hi Lucian,
      unfortunately we are not allowed to discuss scecurity vulnerabilities and fixes.
      We can only point to the official documentation which you have quoted above.
      Cheers,
      Stefan

      Reply

  10. Hi Stefan,

    We are experiencing an issue with the standard quick navigation bar on the left hand side after the complete October CU.
    The menu stops rendering after a few days regardless of browser, clearing cache, resetting Internet Explorer and the like doesn’t resolve the issue. If a user uses a different client or browser on the same client, the menu renders for a some days until the same error occurs. Using the problematic browser in icoqnito doesn’t resolve the issue either.

    Do you have any resolution to this weird behaviour?
    Is this related to this: https://blog.stefan-gossner.com/2020/09/21/fix-regression-in-september-2020-cu-for-sharepoint-2019-affects-sites-with-modern-ui/

    Reply

    1. Hi Christian,
      I haven’t heard about this issue.
      If you need assistance to get this isolated I would recommend to open a support ticket with Microsoft.
      Cheers,
      Stefan

      Reply

  11. Hi Stefan, I am running a SharePoint 2010 Single-Server. After installing KB 4484391 the Server always get stuck after 2 days. I tried to restart DB Service, SharePoint Services and App-Pools but only a restart of the Server brings SharePoint back to life… Is there a known issue, which can be solved by configuration?
    Many thanks in advance
    Dirk

    Reply

    1. Hi Dirk,
      this is not a known issue.
      My recommendation would be to open a support case with Microsoft. Performance Monitor log and Dump analysis might be required to identify what is causing this.
      Cheers,
      Stefan

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.