Knowledge Base

Support Policies

Microsoft .NET Security Patch Issues

August 16, 2018 – Update #6

 

In the August Patch-Tuesday rollup hotfix pack, which Microsoft released August 14, 2018, Microsoft has included .NET updates which correct the issues with the initial July hotfix rollup patches.  Testing indicates that this .NET release is stable and does not impact the functionality or reliability of SecureAuth IdP or Core/Courion AAS products.

 

Please refer to the Microsoft documentation here: https://blogs.msdn.microsoft.com/dotnet/2018/07/20/advisory-on-july-2018-net-framework-updates/

 

The Core-SecureAuth teams have tested* and validated that the August hotfix rollup works properly with both the AAS and IdP products.

 

Core-SecureAuth guidance for this hotfix:

 

Core Security / Courion AAS: Install the August hotfix rollup package per your normal process. 

Standard update guidance:  You should test any updates on a non-production server prior to moving the updates to production. Take virtual machine snapshots of the servers prior to installing any updates to allow you to revert to a known good state in case of failure.

 

SecureAuth IdP: Install the August hotfix rollup package per your normal process. 

Standard update guidance:  You should test any updates on a non-production server prior to moving the updates to production. Take virtual machine snapshots of the servers prior to installing any updates to allow you to revert to a known good state in case of failure.

 

No further updates are planned for this issue.

 

*Note: It is not possible for SecureAuth to test every possible combination of environments that our customers may have, nor does SecureAuth have control over the quality of these Microsoft patches.  We will continue to test and monitor to ensure these patches are stable.  If additional information becomes available, we will update this status page.

 
August 2, 2018 - Update #5

Microsoft has re-released the .NET July hotfix rollup patches, indicating that the known defects have been resolved. 
 
 
The Core-SecureAuth teams have tested* and validated that these new hotfixes work properly with both the AAS and IdP products. 
 
Microsoft recommends “…that you apply this update if you are experiencing the issue described in the known issues Knowledge Base article 4345913.”  Our testing indicates that the original July .NET hotfix rollup patches impact AAS (per article 4345913), and not IdP.  We recommend following the Microsoft guidance.
 
Unfortunately, Microsoft did not release these patches by way of Windows update, and instead they must be installed manually.  Note that Microsoft will be releasing the August .NET updates, typically on the second Tuesday of the month.  This will include the corrected .NET patches, and will be supported by Windows update.  One option is to delay the manual installation of these patches in favor of the upcoming .NET August update. 
 
Please refer to this Microsoft article determine which .NET version(s) your system is using:
 
Once you have determined which version(s) of .NET are installed on your server, download the appropriate hotfix from Microsoft:
 
Server 2012 R2:
[.NET 2.0] (no patch released by Microsoft)
Server 2012:
[.NET 2.0] (no patch released by Microsoft)
Server 2008R2:
 
Core-SecureAuth guidance for this hotfix:
Core Security / Courion AAS: If the original July Hotfix Rollup was installed, remove it from your system, then install the correct hotfix based on the version on your system, or defer to the Microsoft August update. Test any updates on a non-production server prior to moving the updates to production. Take virtual machine snapshots of the servers prior to installing any updates to allow you to revert to a known good state in case of failure

SecureAuth IdP: If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates. You can optionally install the correct .NET patch as noted above, or defer to the Microsoft August update.  Test any updates on a non-production server prior to moving the updates to production. Take virtual machine snapshots of the servers prior to installing any updates to allow you to revert to a known good state in case of failure
 
*It is not possible for SecureAuth to test every possible combination of environments that our customers may have, nor does SecureAuth have control over the quality of these Microsoft patches.  We will continue to test and monitor to ensure these patches are stable.  If additional information becomes available, we will update this status page.

 

July 27, 2018 - Update #4

Core-SecureAuth has halted the investigation this issue awaiting the re-release of this hotfix from Microsoft.

 

Microsoft guidance for this hotfix:

“We have stopped distributing the .NET Framework July 2018 updates on Windows Update and are actively working on fixing and re-shipping this month's updates. If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates.”

 

Core-SecureAuth guidance for this hotfix:

Core Security / Courion AAS: If the July Hotfix Rollup was installed, remove it from your system. 


SecureAuth IdP: If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates.

 

When Microsoft re-releases the hotfix, the Core-SecureAuth teams will test and validate, then an update will be posted for this incident. 

--- 

July 25, 2018 - Update #3

Core-SecureAuth is still investigating this issue, working closely with the Microsoft .NET developer support team.


Core Security / Courion AAS:
The Core-SecureAuth technical teams have confirmed that AAS is affected in the manner as described the Microsoft article KB4345913. We have also confirmed that one of the referenced workarounds resolves the issue. Because Microsoft is aware of this issue and is actively working on a solution, we are not recommending the workaround be put in place, but rather waiting for an update from Microsoft to resolve the issue


SecureAuth IdP:
No IdP customers have reported issues with this patch, and our teams have been unable to reproduce any issues in our labs with this patch applied.

An update will be posted as soon as there is a material update from Microsoft.

---

July 24, 2018 - Update #2

Core-SecureAuth is still investigating this issue, working closely with the Microsoft .NET developer support team. 

Although Microsoft made some progress in further debugging the issue, Microsoft has not provided a solution, nor defined the scope of the .NET issue as of today. 

SecureAuth IdP: No IdP customers have reported issues with this patch, and our teams have been unable to reproduce any issues in our labs with this patch applied. 

Core Security / Courion AAS: Customer issues have been reported and removal of KB4338419 (Server 2012R2) has resolved the issue in all cases. 

Microsoft has since released two updates to the rollup hotfix patch, but they do not appear to address the issue impacting AAS. 

An update will be posted as soon as there is a material update from Microsoft.

---

July 20, 2018 - Update #1

 

Core-SecureAuth is still investigating this issue, working closely with Microsoft. 

 

Microsoft has acknowledged material issues with the July rollup hotfix package and are going to be reissuing hotfixes to resolve those issues.  Although we have not completed the research with Microsoft, the initial investigation indicates that IdP (and IdP related products) may not be impacted by the defective July Microsoft hotfix rollup patch.  Other Core-SecureAuth products are affected, and we are actively working with Microsoft to resolve.

 

In addition, no IdP customers have reported issues with this patch, and our teams have been unable to reproduce any issues in our labs.

 

An update will be posted as soon as there is a material update to report.

--- 

July 17, 2018

Summary:
SecureAuth has identified a recent Microsoft .NET security patch that can render SecureAuth IdP inoperable. The issue appears to be a problem where the Microsoft .NET service fails to function after the update, which appears to result from a conflict between Microsoft .NET updates. This issue is not a defect or other incompatibility with SecureAuth IdP and the Windows software, or updates.  IdP cannot function if the Windows .NET service is not operable. Note that no customers or environments have been impacted by this issue at the time of this notification. We have observed this issue with other products in our product offerings. Unfortunately our team has been unable to reproduce the issue as of the time of this notice. It is our understanding that this is an issue affecting many applications well outside of the Core-SecureAuth application set.

Problem Definition:
After applying the July Microsoft rollup patch, the .NET service fails to start registering a fatal error in Windows Event Viewer

Microsoft patches impacting .NET stability:
Windows Server 2012R2: KB 4338419 Windows Server 2012: KB 4338416 Windows Server 2008R2 and 2008(R1): KB 4338602

Immediate recommendations:
Disable Windows automatic updates for all IdP servers. Test any updates on a non-production server prior to moving the updates to production. Take virtual machine snapshots of the servers prior to running the latest Microsoft updates to allow you to revert to a know good state in case of failure

If your system is currently affected:
Contact SecureAuth support or Microsoft Support. You can submit a SecureAuth support ticket here.

Follow-on actions:
The SecureAuth team is working to determine the best solution for this issue through working with Microsoft and the Microsoft community. We will send out additional notifications when we are able to determine how these Microsoft security updates can be installed in a stable manner. Note that this issue may require Microsoft to provide an additional fix or further guidance.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.