SharePoint security fixes released with May 2024 PU and offered through Microsoft Update

Below are the security fixes for the SharePoint OnPrem versions released this month.

SharePoint Server 2016:

  • KB 5002598 – SharePoint Server 2016 (language independent)

Microsoft Support recommends to install the complete May 2024 CU for SharePoint 2016 rather than individual security fixes.

SharePoint Server 2019:

  • KB 5002596 – SharePoint Server 2019 (language independent)

Microsoft Support recommends to install the complete May 2024 CU for SharePoint 2019 rather than individual security fixes.

SharePoint Server Subscription Edition:

  • KB 5002599 – SharePoint Server Subscription Edition

This security fix includes the complete May 2024 CU for SharePoint Server Subscription Edition.

Office Online Server:

  • KB 5002503 – Office Online Server
See the Security Update Guide below for more details about the relevant fixes:
More information:

Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.

 


Security Vulnerabilities fixed in this PU

Vulnerability SP 2016 SP 2019 SP SE OOS Impact Max Severity
CVE-2024-30042 x Remote Code Execution Important
CVE-2024-30043 x x x Information Disclosure Important
CVE-2024-30044 x x x Remote Code Execution Critical
See the Security Update Guide below for more details about the relevant fixes:

9 Comments


  1. Hello,
    After installation, the documents and site content pages are shows only blank screen. Anyone else is having this issue?

    Reply

  2. Hi!
    If you use “side by side patching” check the build number on the webserver itself, sometimes $farm.Buildnumber does not show the right build number.
    $farm = Get-SPFarm
    $farm.BuildVersion # does not always show right build number…

    $webapp = Get-SPWebApplication https://[WebAppAddress]
    $webapp.WebService.SideBySideToken = ”16.0.10392.20000” #Latest BuildRevision
    $webapp.WebService.update()

    Check latest build number on webserver:
    (C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS)

    Reply

  3. After installing .NET Framework May Update (KB5038283 on Windows Server 2019), our external lists (BDC) sporadically fail with:

    Error while executing web part: System.Security.Cryptography.CryptographicException: Unknown Error -1073741816. bei System.Security.Cryptography.BCryptHashAlgorithm.HashCore(Byte[] array, Int32 ibStart, Int32 cbSize) bei
    System.Security.Cryptography.HashAlgorithm.TransformBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[] outputBuffer, Int32 outputOffset) bei System.Security.Cryptography.SHA512Managed.HashCore(Byte[] rgb, Int32 ibStart, Int32 cbSize) bei System.Security.Cryptography.HashAlgorithm.ComputeHash(Byte[] buffer) bei Microsoft.SharePoint.BusinessData.Runtime.FieldValueDictionary.CalculateHashCode() —–snip—-

    The more parallel requests, the higher the probability that the error occurs. After uninstalling KB5038283 the issue seems to disappear.
    A similiar problem has been reported for using the ComputeHash function in a not thread-safe manner (see https://answers.microsoft.com/en-us/windows/forum/all/sha256-computehash-started-throwing/4e18a046-8bd6-4369-968c-93f34a1088bb)

    Is anybody experiencing similar issues?

    Reply

    1. If we force sequential query processing by limiting the number of concurrent connections to the external data source to 1, the error no longer occurs.
      It seems to me that there is an issue in BCS handling concurrent connections for a content type, possibly in conjunction with the non-thread-safe hash function?

      Reply

      1. Is it a setting in BDC for achieving this?

        Reply

        1. We used SharePoint Designer: External Content Types –> External System Properties –> Specify number of connections = 1 (see the following screen https://learn.microsoft.com/en-us/previous-versions/office/developer/sharepoint-2010/images/gg650431.be58218c-e9f1-43f0-a444-1fa0c971f372(en-us,office.14).gif)
          But of course, this workaround has its own implications and may not be suitable in other cases.
          Still hoping Microsoft is looking into it as it seems to affect other customers as well.

          Reply

        2. You can also create a crawl impact rule in your SSA to only download one item at a time for the BDC “server name”, and that seems to help, though making the crawls slower.

          Reply

  4. The same problem was found in several clients in production environment, with different versions of a proprietary system that had not reported an error for several years. They all report that there was a previous Windows Update

    Reply

  5. Same issue here, but not on all External Lists, i’m experiencing this whith external lists newly created in SPSE Environment, the ones which were created in SP2016 before migration are working correctly.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.