SharePoint security fixes released with October 2020 PU and offered through Microsoft Update

Below are the security fixes for the SharePoint OnPrem versions released this month.

SharePoint 2010 Suite:

  • KB 4486708 – SharePoint Foundation 2010
  • KB 4484531 – Excel Services for SharePoint Server 2010
  • KB 4462175 – Excel Web App 2010

SharePoint 2013 Suite:

  • KB 4486694 – SharePoint Foundation 2013 (core component)
  • KB 4486687 – Excel Services for SharePoint Server 2013
  • KB 4486689 – Office Web Apps Server 2013

SharePoint 2016 Suite:

  • KB 4486677 – SharePoint Server 2016 (language independent)

SharePoint 2019 Suite:

  • KB 4486676 – SharePoint Server 2019 (language independent)

Office Online Server:

  • KB 4486674 – Office Online Server
See the Security Update Guide below for more details about the relevant fixes:

More information:

Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.
 

37 Comments


  1. Hi Stefan! I see you left off KB4484453 for Server 2019. Was that intentional?

    Reply

    1. disregard. I had a bad number on my list

      Reply

  2. The September Issue – ‘after installing September 2020 CU and PU custom pages and controls fail to render’ is fix include in Oct Patches

    Reply

    1. Hi Prasad,
      I assume this is a question?
      In September a security fix tightend the security requirements for code integrated with SharePoint.
      It now requires to explictely mark such pages and controls as enabled.
      This is not something that will be reverted – that is the new expected behavior.
      Cheers,
      Stefan

      Reply

  3. Hi,

    Does CVE-2020-16952 (in KB 4486694) vulnerability also apply to Sharepoint 2013 Enterprise Server?
    Should this patch be applied to 2013 Enterprise Server in that case?

    Reply

    1. Hi Erik,
      all SharePoint Foundation security fixes apply also to SharePoint Server as SharePoint Foundation is part of SharePoint Server.
      With other words: YES.
      Cheers,
      Stefan

      Reply

  4. Hi Stefan,

    I did not install the September CU, but directly the October CU. Now I have this error on search pages “Unknown server tag ‘SharePoint:BrowseStyleBlock’.”

    Application error when access /s/Pages/default.aspx, Error=Unknown server tag ‘SharePoint:BrowseStyleBlock’.
    at System.Web.UI.TagPrefixTagNameToTypeMapper.System.Web.UI.ITagNameToTypeMapper.GetControlType(String tagName, IDictionary attribs)
    at System.Web.UI.MainTagNameToTypeMapper.GetControlType(String tagName, IDictionary attribs, Boolean fAllowHtmlTags)
    at System.Web.UI.RootBuilder.GetChildControlType(String tagName, IDictionary attribs)
    at System.Web.UI.ControlBuilder.CreateChildBuilder(String filter, String tagName, IDictionary attribs, TemplateParser parser, ControlBuilder parentBuilder, String id, Int32 line, VirtualPath virtualPath, Type& childType, Boolean defaultProperty)
    at System.Web.UI.TemplateParser.ProcessBeginTag(Match match, String inputText)

    at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding)

    I saw this mentioned in your September CU post comments, where you said this had probably nothing to do with a blocked page or control. Do you have any idea what this could be?

    Thank you and best regards,
    Luzi

    Reply

    1. Hi Luzi,
      please install the complete October CU and verify if the issue is gone.
      There might be a dependency between the security fix binaries and the non-security fixes which causes this.
      Cheers,
      Stefan

      Reply

      1. I have installed the complete October CU and PSCOFIG did not throw any errors. But thank you for your feedback.

        Reply

        1. In this case you should open a support case with Microsoft to get this analyzed.

          Reply

  5. hi stefan,
    you replied to erik on 14th oktober that i (and he) have to install this SharePoint Foundation security fix although we run sharepoint 2013 Enterprise Server sp1. i will do that then but do i have to install SharePoint Foundation security fixes as well if there are also sharepoint 2013 Enterprise Server fixes avaiable?? (like last month )

    greet Bauke

    Reply

    1. Hi Bauke,
      SharePoint foundation security fixes always have to be applied on SharePoint server.
      SharePoint foundation is one of many components of SharePoint server which can be patched.
      Cheers,
      Stefan

      Reply

  6. On SharePoint 2016 I am getting this: VERSION LOG (GET): Upgrade object too new. Current versions: (build version = 16.0.5071.1000, schema version = 16.1.317.0). Target versions: (build version = 16.0.4966.1000, schema version = 16.1.316.0). (EventID:ajyxu), any hint?

    Reply

    1. Hi Haaron,

      It looks as if you are trying to run PSConfig on a machine which has February 2020 CU installed (16.0.4966.1000) while the databases have already been upgraded to October 2020 CU (16.0.5071.1000).

      Cheers,
      Stefan

      Reply

  7. Hi,
    I just want to make sure,
    configuration wizard is not mentioned in the installation process for the security fixes, it means that no conf. wiz. or upgrade DB is required, right?

    thanks!

    Reply

    1. Hi David,
      this assumption is wrong.
      There is not a single SharePoint fix which would not require the config wizard.

      With other words: you need to run the config wizard also after installing SharePoint security fixes.

      Cheers,
      Stefan

      Reply

  8. Hi Stefan, Gather this is spelling mistake?

    SharePoint 2013 Suite:

    KB 4486694 – SharePoint Foundation 2013 (core component)
    KB 4486687 – Excel Services for SharePoint 2013 ——————- Meant to SharePoint Server 2013?
    KB 4486689 – Office Web Apps Server 2013

    Reply

    1. It was actually an abbreviation – but you are right, SharePoint Server 2013 is more correct.
      I updated it.

      Reply

  9. Hi Stefan,

    When it comes to SharePoint 2013, regarding this statement from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-16952 I have two questions::
    “Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.”
    1. I guess that this can happen only if you let the users to install their own apps (either from SharePoint app store or their own source), or not ?
    2. Can the SharePoint farm be affected if they upload an app file to any document library (not app catalog)?

    Thanks,
    Lucian

    Reply

    1. Hi Lucian,
      unfortunately we are not allowed to discuss scecurity vulnerabilities and fixes.
      We can only point to the official documentation which you have quoted above.
      Cheers,
      Stefan

      Reply

  10. Hi Stefan,

    We are experiencing an issue with the standard quick navigation bar on the left hand side after the complete October CU.
    The menu stops rendering after a few days regardless of browser, clearing cache, resetting Internet Explorer and the like doesn’t resolve the issue. If a user uses a different client or browser on the same client, the menu renders for a some days until the same error occurs. Using the problematic browser in icoqnito doesn’t resolve the issue either.

    Do you have any resolution to this weird behaviour?
    Is this related to this: https://blog.stefan-gossner.com/2020/09/21/fix-regression-in-september-2020-cu-for-sharepoint-2019-affects-sites-with-modern-ui/

    Reply

    1. Hi Christian,
      I haven’t heard about this issue.
      If you need assistance to get this isolated I would recommend to open a support ticket with Microsoft.
      Cheers,
      Stefan

      Reply

  11. Hi Stefan, I am running a SharePoint 2010 Single-Server. After installing KB 4484391 the Server always get stuck after 2 days. I tried to restart DB Service, SharePoint Services and App-Pools but only a restart of the Server brings SharePoint back to life… Is there a known issue, which can be solved by configuration?
    Many thanks in advance
    Dirk

    Reply

    1. Hi Dirk,
      this is not a known issue.
      My recommendation would be to open a support case with Microsoft. Performance Monitor log and Dump analysis might be required to identify what is causing this.
      Cheers,
      Stefan

      Reply

  12. Hi Stefan,

    After we install KB 4486677 to our SharePoint 2016 farm, we are not able to upload larger than 100MB files. The error that we get while we are trying to upload a file is

    {“error”:{“code”:”-1, Microsoft.SharePoint.Client.InvalidClientQueryException”,”message”:{“lang”:”en-US”,”value”:”The expression \”web/getFileByServerRelativeUrl(@file)/FinishUpload(uploadId=guid’c67ffddb-6aee-4a34-b401-714694a89cca’,fileOffset=109051904,checkInComment=)\” is not valid.”}}}

    We couldn’t find any solution to this problem. Do you have any idea?

    Thanks,
    Guray.

    Reply

    1. Hi Guray,
      this is a known issue in October 2020 CU.
      Upload using the ribbon should work.
      I would recommend to open a support case with Microsoft to ensure that you get latest info on a fix when it becomes available.
      Cheers,
      Stefan

      Reply

      1. Hi Stefan,

        Upload using the ribbon is also not working.

        We opened a support case, thanks for your response.

        Guray.

        Reply

        1. Hi Guray,
          in some scenarios it does not work. You are right. The reason is that in the not working cases the upload.aspx page is opened which is affected. the uploadex.aspx page will work.
          The workaround in case that upload in ribbon does not work is to use http://site_url/_layouts/15/uploadex.aspx
          Cheers,
          Stefan

          Reply

  13. Hi. Just tested and the Nov CU does not fix upload of larger than 100 MB file issues.
    What we found is that Explorer works, Upload via Ribbon (and upload link) works if the library is set to “Allow management of content types? ” = yes with no other changes.

    Drag and drop not working at all for files larger than 100 MB. Was really hoping since known issue the Nov CU would have fixed. Just hoping now Dec CU will fix or special fix comes out without a support case.

    Regards,
    Joe

    Reply

  14. Stefan,
    After installing KB4486694 we are experiencing the following issue when trying to open search service application. This is happing in multiple search service applications in different farms…

    Sorry, something went wrong
    The base type ‘Microsoft.Office.Server.Search.Internal.UI.SearchAdministration’ is not allowed for this page. The type Microsoft.Office.Server.Search.Internal.UI.SearchAdministration, Microsoft.Office.Server.Search, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c could not be found or it is not registered as safe.

    Reply

    1. We are currently running SharePoint 2013 SP1 April 2020 cu build  15.0.5189.1000

      Reply

      1. Hi Rich,
        sounds as if you did not run the SharePoint configuration wizard after installing the update.
        The config wizard adds the required updates to the web.config to avoid this error.
        Cheers,
        Stefan

        Reply

  15. Hi Stefan,
    Post October CU, we are experiencing issues while opening site which are having custom webparts (Newsgator).
    We skipped the Sept CU, because it had few issues.
    Are those issues fixes applied in October CU?

    The control type ‘NewsGator.CorpComm.Core.WebParts.AdminConsole.NavigationWebPart’ is not allowed on this page. The type NewsGator.CorpComm.Core.WebParts.AdminConsole.NavigationWebPart, NewsGator.CorpComm.Core, Version=1.0.0.0, Culture=neutral, PublicKeyToken=4ec65f4d77045582 could not be found or it is not registered as safe.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.