[Updated] Virtual Administrator’s January 2022 Patch Recommendations

Patch Recommendations

Updated Patch Notes 1-21-2022

Update (1/21/2022):  All January patches will be approved in patch policy

On 17th January 2022, Microsoft released emergency (or Out-of-band) security updates for resolving specific issues caused by the earlier January 11th Cumulative Updates/Monthly Rollups. These Out-of-band (OOB) updates supersede the Cumulative Updates that caused all the issues. The Monthly Rollups do not replace the earlier updates and are offered as “optional updates”.  Provided both are installed together before reboot, the fixes in the OOB update will take precedence.

So far we have not seen or read of any new issues introduced by the OOB fixes.

January 17, 2022 Out-of-band Updates

Security and Quality Rollup

  • KB5010798 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB5010794 – Windows 8.1, Windows Server 2012 R2
  • KB5010797 – Windows Server 2012
  • KB5010799 – Windows Server 2008 (ESU)

Cumulative Updates

Windows 10

  • KB5010789 – Original release version 1507 (OS Build 10240)
  • KB5010790 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB5010791 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB5010792 – Version 1909 “November 2019 Update” (OS Build 18363)
  • KB5010793 – Version 20H2 “October 2020 Update” (OS Build 19042)
  • KB5010793 – Version 21H1 “May 2021 Update” (OS Build 19043)
  • KB5010793 – Version 21H2 “November 2021 Update” (OS Build 19044)

(Versions 1511,1703,1709,1803,1903,2004 are no longer under support)

Windows 11

  • KB5010795 – Original release (OS Build 22000)

Windows Server

  • KB5010790 – Server 2016 (same KB as Windows 10 Version 1607)
  • KB5010791 – Server 2019 (same KB as Windows 10 Version 1809)
  • KB5010796 – Server 2022 (OS Build 20348)

FYI: If you want to remove the Latest Cumulative Update (LCU)

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package (https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options) command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

 

Original Patch Notes – 1-14-2022

This month Microsoft released patches for 97 vulnerabilities with 9 rated “Critical” and 88 “Important” in severity.

None of the January Cumulative Updates and Monthly Rollups have been approved.  All other standalone and Office patches have been approved in our patch policy.

There are serious problems with all of the January Cumulative Updates and Monthly Rollups. For that reason we are delaying the approval of all of them. We are releasing other standalone patches including the January Office updates. There is a known issue with the Sharepoint patches. Details and a workaround are provided in the “Known Issues” section below.  Also the two Office patches KB5002104,KB5002099 we denied last month will be approved. Microsoft released fixes KB2965317 and KB4484211 which can be installed manually – see details below “Released KBs from December 2021”

The “Known Issues” section below outlines the problems reported for the Cumulative Updates and Monthly Rollups. Microsoft has only recently acknowledge any of them and has no workarounds. These problems included Server reboot loops, Hyper-V not booting and VPN connections failing. We will monitor this situation and provide an update next Friday – January 21st.

FYI – Released KBs from December 2021

Last month Office patches KB5002104 and KB5002099 were denied. They could cause problems with multi-user access on network shares. Patches have been released to correct the problem. These patches much be downloaded and installed manually after KB5002104/KB5002099 has been installed.

KB5002104

Description of the security update for Office 2013: December 14, 2021 (KB5002104)

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-office-2013-december-14-2021-kb5002104-84005c4a-9bfe-4da6-bd66-240c5c468c7c

After this update is installed, Microsoft Access databases that are stored on a network share can’t be accessed by multiple users simultaneously. To resolve this issue, see the following Knowledge Base article:

December 29, 2021, update for Office 2013 (KB2965317)

https://support.microsoft.com/en-us/topic/december-29-2021-update-for-office-2013-kb2965317-66fd5547-78e4-26da-d473-ca6aa295f26e

KB5002099

Description of the security update for Office 2016: December 14, 2021 (KB5002099)

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-office-2016-december-14-2021-kb5002099-10670400-427f-4819-8de6-abd11e73100b

After this update is installed, Microsoft Access databases that are stored on a network share can’t be accessed by multiple users simultaneously. To resolve this issue, see the following Knowledge Base article:

4484211 Database on network share can’t be accessed by multiple users in Office 2016

Databases on network share can’t be accessed by multiple users in Office 2016 (KB4484211)

https://support.microsoft.com/en-us/topic/databases-on-network-share-can-t-be-accessed-by-multiple-users-in-office-2016-kb4484211-88a51f7f-f7dd-2d9c-0b96-b7fca0867a4f

Disclosed: CVE-2022-21836, CVE-2022-21839, CVE-2022-21874, CVE-2022-21919, CVE-2021-22947, CVE-2021-36976

Exploited: None

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

We will no longer listing “affected software” in this post. Previously Microsoft listed affected “software”. This month the list includes “products, features and roles” which makes the list too long. If you look at the month’s Release Notes on the Security Update Guide page you can view this list.

Microsoft Security Advisories – Update

ADV170021 | Microsoft Office Defense in Depth Update (Published:12/12/2017 | Last Updated:01/11/2022)

https://msrc.microsoft.com/update-guide/vulnerability/ADV170021

Reason for Revision: On 1/11/2022 Microsoft released an update for all supported versions of Excel that disables DDE Server Launch by default, protecting customers out of the box from attacks targeting DDE. DDE Server Launch can be enabled by setting the DisableDDEServerLaunch registry value to 0. Administrators can enable DDE Server Launch for Office 2016 and later by using the Group Policy template; administrators should be aware that users cannot disable DDE Server Launch if an administrator has enabled it via Group Policy. For more information see Microsoft Excel security enhancements in the January 2022 update.

Known Issues

VPN connections fail:

  • KB5009566 – Windows 11
  • KB5009543 – Windows 10
  • KB5009555 – Windows Server 2022
  • KB5009546 – Windows Server 2016

Symptom: After installing this update, IP Security (IPSEC) connections that contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected.

Workaround: To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings.

Note Not all VPN servers have the option to disable Vendor ID from being used.

We are presently investigating and will provide an update in an upcoming release.

Hyper-V might not start:

KB5009624/KB5009595 – Windows Server 2012 R2

Symptom: After installing this update on a device by using Unified Extensible Firmware Interface (UEFI), virtual machines (VMs) in Hyper-V might not start.

Workaround: We are presently investigating and will provide an update in an upcoming release.

Windows Server might restart unexpectedly:

  • KB5009624/KB5009595 – Windows Server 2012 R2
  • KB5009555 – Windows Server 2022
  • KB5009546 – Windows Server 2016

Symptom: After installing this update on domain controllers (DCs), affected versions of Windows Server might restart unexpectedly.

Workaround: We are presently investigating and will provide an update in an upcoming release.

Note On Windows Server 2016 and later, you are more likely to be affected when DCs use Shadow Principals in Enhanced Security Admin Environment (ESAE) or environments that use Privileged Identity Management (PIM).

SharePoint Foundation 2013/Enterprise Server 2016/Server 2019

(KB5002109,KB5002111,KB5002113,KB5002127)

Link for SharePoint Server 2019: January 11, 2022 (KB5002109)

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-2019-january-11-2022-kb5002109-3d85585a-a69d-4063-9e62-fb51bc31b73a

Symptom: Most users cannot access Web.config files in Microsoft SharePoint Server. The affected group of users does not include farm administrators, local administrators, or members who are managed by the system.

Cause: For security, users other than those that are specified in the “Symptoms” section are restricted from accessing Web.config files.

Workaround: Users cannot access Web.config files in SharePoint Server (KB5010126)

https://support.microsoft.com/en-us/topic/users-cannot-access-web-config-files-in-sharepoint-server-kb5010126-d741e0a6-5cdb-4fa5-8aa1-45806cac30d2

Good resource for known issues with Windows 10 patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

  • KB5009610 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB5009624 – Windows 8.1, Windows Server 2012 R2
  • KB5009586 – Windows Server 2012
  • KB5009627 – Windows Server 2008 (ESU)

Security Only Update

  • KB5009621 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB5009595 – Windows 8.1, Windows Server 2012 R2
  • KB5009619 – Windows Server 2012
  • KB5009601 – Windows Server 2008 (ESU)

Cumulative Updates

Windows 10

  • KB5009585 – Original release version 1507 (OS Build 10240)
  • KB5009546 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB5009557 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB5009545 – Version 1909 “November 2019 Update” (OS Build 18363)
  • KB5009543 – Version 20H2 “October 2020 Update” (OS Build 19042)
  • KB5009543 – Version 21H1 “May 2021 Update” (OS Build 19043)
  • KB5009543 – Version 21H2 “November 2021 Update” (OS Build 19044)(Versions 1511,1703,1709,1803,1903,2004 are no longer under support)

Windows 11

  • KB5009566 – Original release (OS Build 22000)

Windows Server

  • KB5009546 – Server 2016 (same KB as Windows 10 Version 1607)
  • KB5009557 – Server 2019 (same KB as Windows 10 Version 1809)
  • KB5009555 – Server 2022 (OS Build 20348)

January 2022 updates for Microsoft Office

https://support.microsoft.com/en-au/topic/january-2022-updates-for-microsoft-office-c47975ca-64a8-4514-b0b2-175ab9715930

Notable CVEs

CVE-2021-22947 | Open Source Curl Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947

CVE-2021-36976 | Libarchive Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976

CVE-2022-21836 | Windows Certificate Spoofing Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21836

CVE-2022-21839 | Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability (Win 10 Version 1809/ Server 2019 Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21839

CVE-2022-21840 | Microsoft Office Remote Code Execution Vulnerability (Office various KBs)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21840

CVE-2022-21846 | Microsoft Exchange Server Remote Code Execution Vulnerability (Exchange Server 2013/2016/2019 – KB5008631)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21846

CVE-2022-21849 | Windows IKE Extension Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21849

CVE-2022-21857 | Active Directory Domain Services Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21857

CVE-2022-21874 | Windows Security Center API Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21874

CVE-2022-21907 | HTTP Protocol Stack Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907

CVE-2022-21919 | Windows User Profile Service Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919