SharePoint security fixes released with January 2022 PU and offered through Microsoft Update

Below are the security fixes for the SharePoint OnPrem versions released this month.

Important:
SharePoint Foundation security fixes also have to be applied on SharePoint Server installations.
SharePoint Server security fixes also have to be applied on Project Server installations.

SharePoint 2013 Suite:

  • KB 5002127 – SharePoint Foundation 2013 (core component)
  • KB 5002129 – SharePoint Foundation 2013
  • KB 5002102 – Excel Services for SharePoint 2013
  • KB 5001995 – Access Services for SharePoint 2013
  • KB 5002122 – Office Web Apps Server 2013
  • Microsoft Support recommends to install the complete January 2022 CU for SharePoint 2013 rather than individual security fixes

SharePoint Server 2016:

  • KB 5002113 – SharePoint Server 2016 (language independent)
  • KB 5002118 – SharePoint Server 2016 (language dependent)
  • Microsoft Support recommends to install the complete January 2022 CU for SharePoint 2016 rather than individual security fixes

SharePoint Server 2019:

  • KB 5002109 – SharePoint Server 2019 (language independent)
  • KB 5002108 – SharePoint Server 2019 (language dependent)
  • Microsoft Support recommends to install the complete January 2022 CU for SharePoint 2019 rather than individual security fixes

SharePoint Server Subscription Edition:

Office Online Server:

  • KB 5002107 – Office Online Server
See the Security Update Guide below for more details about the relevant fixes:

More information:

Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.
 

8 Comments


  1. Hello Stefan,
    do I need to install KB5002127 on SharePoint Server 2013, I can see that it is mentioned its for SharePoint Foundation 2013.Please confirm.

    Reply

    1. Hi Rajni,

      the confirmation is already in the article above:

      Important:
      SharePoint Foundation security fixes also have to be applied on SharePoint Server installations.

      Cheers,
      Stefan

      Reply

      1. Hi Stefan,

        I’ve been referencing your blog for many years now, and really appreciate the info. Thank you!

        I have been a SharePoint farm architect/admin for over a decade (started with MOSS 2007), and am also very detail-oriented and usually read things quite carefully.

        But your answer here, referencing the note in these article, seems to be the exact opposite of what it says on the official SharePoint updates listing page here, unless I am reading/understanding it wrong:

        https://docs.microsoft.com/en-us/officeupdates/sharepoint-updates#sharepoint-2013-update-history
        “SharePoint Server 2013 (this also updates SharePoint Foundation 2013 installations)”

        This seems to indicate that the SP server CU package includes SP Foundation fixes, and thus would also update SP Foundation by installing just the SP server package.

        But your statement would seem to say that you also have to run the SP Foundation update package on an SP server installation.

        I have never done that, and after using the full SP Server CU package to update SP, Windows Update shows no pending SP updates, which would indicate that SP is fully patched.

        So am I missing something here, or do you need to correct this statement/guidance, or its wording?

        UPDATE: Hmm, so actually after writing all this, i just re-read the article and the question posed by Rajni (and your answer to it) more carefully, and it seems that it might apply specifically/only to when one is installing individual SP updates, as opposed to the full/complete CU package.

        So perhaps both of us are correct in what we are saying?! 🙂 Clarification of this would be helpful.

        Thanks,
        Mihir

        Reply

        1. Hi Mihir,

          I understand where the conflict comes here.

          For CUs you only have to apply the SharePoint Server CU as the SharePoint Server CU includes the SharePoint foundation fixes.
          But for security fixes it is different.
          You have to apply both of them individually as security fixes are more granular.
          This current blog post is about security fixes and not about the CU.

          Cheers,
          Stefan

          Reply

  2. Hi Stefan,

    Regarding to Microsoft SharePoint Server 2013:

    after patching (KB5002126) CU January 2022 final version is 15.0.5411.1000 instead of 15.0.5415.1000 marked by Microsoft.

    Similar was in Decemeber 2021 (KB5002070)- 15.0.5399.1000 instead of 15.0.5407.1000.

    Could you explain?

    Thank you,
    Regards,
    Wiktor

    Reply

  3. Not quite understanding the Known issues in the 2019 update: “Most users cannot access Web.config files in Microsoft SharePoint Server. The affected group of users does not include farm administrators, local administrators, or members who are managed by the system.” Do users other than those noted need access to the web.config files? Will it affect functionality for end users?

    Reply

    1. Hi Jodi,

      the ACLs on the web.config have been updated to be more secure.
      If users which are not local administrators used to access these files they will be blocked now by default.
      Workaround to revert this security change are in the linked KB article.

      Cheers,
      Stefan

      Reply

Leave a Reply to Stefan Goßner Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.