Important Notification - Microsoft Update Affecting Core Security AAS or Secure Reset causing them to be inoperable

Follow

Update 6

August 16, 2018 – Status Update #6

In the August Patch-Tuesday rollup hotfix pack which Microsoft released August 14, 2018, Microsoft has included .NET updates which correct the issues with the initial July hotfix rollup patches.  Testing indicates that this .NET release is stable and does not impact the functionality or reliability of SecureAuth IdP or Core/Courion AAS products.

Please refer to the Microsoft documentation here: https://blogs.msdn.microsoft.com/dotnet/2018/07/20/advisory-on-july-2018-net-framework-updates/

The Core-SecureAuth teams have tested* and validated that the August hotfix rollup works properly with both the AAS and IdP products.

Core-SecureAuth guidance for this hotfix:

Core Security / Courion AAS: Install the August hotfix rollup package per your normal process. 

Standard update guidance:  You should test any updates on a non-production server prior to moving the updates to production. Take virtual machine snapshots of the servers prior to installing any updates to allow you to revert to a known good state in case of failure.

SecureAuth IdP: Install the August hotfix rollup package per your normal process. 

Standard update guidance:  You should test any updates on a non-production server prior to moving the updates to production. Take virtual machine snapshots of the servers prior to installing any updates to allow you to revert to a known good state in case of failure.

No further updates are planned for this issue.

*Note: It is not possible for SecureAuth to test every possible combination of environments that our customers may have, nor does SecureAuth have control over the quality of these Microsoft patches.  We will continue to test and monitor to ensure these patches are stable.  If additional information becomes available, we will update this status page.

 

Update 5

August 2, 2018 - Status Update #5

Microsoft has re-released the .NET July hotfix rollup patches, indicating that the known defects have been resolved. 

 

Please refer to the Microsoft documentation here: https://blogs.msdn.microsoft.com/dotnet/2018/07/30/net-framework-july-2018-update/

 

The Core-SecureAuth teams have *tested and validated that these new hotfixes work properly with both the AAS and IdP products. 

 

Microsoft recommends “…that you apply this update if you are experiencing the issue described in the known issues Knowledge Base article 4345913.”  Our testing indicates that the original July .NET hotfix rollup patches impact AAS (per article 4345913), and not IdP.  We recommend following the Microsoft guidance. 

 

Unfortunately, Microsoft did not release these patches by way of Windows update, and instead, they must be installed manually.  Note that Microsoft will be releasing the August .NET updates, typically on the second Tuesday of the month.  This will include the corrected .NET patches and will be supported by Windows update.  One option is to delay the manual installation of these patches in favor of the upcoming .NET August update. 

 

Please refer to this Microsoft article determine which .NET version(s) your system is using:

https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed#net_a

 

Once you have determined which version(s) of .NET are installed on your server, download the appropriate hotfix from Microsoft:

 

Server 2012 R2:

[.NET 4.6+] https://support.microsoft.com/help/4346406

[.NET 4.5] https://support.microsoft.com/help/4346408

[.NET 3.5] https://support.microsoft.com/help/4346745

[.NET 2.0] (no patch released by Microsoft)

Server 2012:

[.NET 4.6+] https://support.microsoft.com/help/4346405

[.NET 4.5] https://support.microsoft.com/help/4346739

[.NET 3.5] https://support.microsoft.com/help/4346742

[.NET 2.0] (no patch released by Microsoft)

Server 2008R2:

[.NET 4.6+] https://support.microsoft.com/help/4346407

[.NET 4.5] https://support.microsoft.com/help/4346410

[.NET 3.5] https://support.microsoft.com/help/4346744

[.NET 2.0] https://support.microsoft.com/help/4346743

 

Core-SecureAuth guidance for this hotfix:

Core Security / Courion AAS: If the original July Hotfix Rollup was installed, remove it from your system, then install the correct hotfix based on the version on your system, or defer to the Microsoft August update. Test any updates on a non-production server prior to moving the updates to production. Take virtual machine snapshots of the servers prior to installing any updates to allow you to revert to a known good state in case of failure


SecureAuth IdP: If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates. You can optionally install the correct .NET patch as noted above, or defer to the Microsoft August update.  Test any updates on a non-production server prior to moving the updates to production. Take virtual machine snapshots of the servers prior to installing any updates to allow you to revert to a known good state in case of failure

 

*It is not possible for SecureAuth to test every possible combination of environments that our customers may have, nor does SecureAuth have control over the quality of these Microsoft patches.  We will continue to test and monitor to ensure these patches are stable.  If additional information becomes available, we will update this status page.

 

Update 4

July 27, 2018 - Status Update #4

Core-SecureAuth has halted the investigation this issue awaiting the re-release of this hotfix from Microsoft.

 

Microsoft guidance for this hotfix:

“We have stopped distributing the .NET Framework July 2018 updates on Windows Update and are actively working on fixing and re-shipping this month's updates. If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates.”

 

Core-SecureAuth guidance for this hotfix:

Core Security / Courion AAS: If the July Hotfix Rollup was installed, remove it from your system. 


SecureAuth IdP: If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates.

 

When Microsoft re-releases the hotfix, the Core-SecureAuth teams will test and validate, then an update will be posted for this incident.

 

Update 3
July 25, 2018 - Status Update #3

Core-SecureAuth is still investigating this issue, working closely with the Microsoft .NET developer support team. 

Core Security / Courion AAS: The Core-SecureAuth technical teams have confirmed that AAS is affected in the manner as described in the Microsoft article KB4345913.  We have also confirmed that one of the referenced workarounds resolves the issue.  Because Microsoft is aware of this issue and is actively working on a solution, we are not recommending the workaround be put in place, but rather waiting for an update from Microsoft to resolve the issue

SecureAuth IdP: No IdP customers have reported issues with this patch, and our teams have been unable to reproduce any issues in our labs with this patch applied.

An update will be posted as soon as there is a material update from Microsoft.

 

Update 2
July 24, 2018 - Status Update #2 

Core-SecureAuth is still investigating this issue, working closely with the Microsoft .NET developer support team. 

Although Microsoft made some progress in further debugging the issue, Microsoft has not provided a solution, nor defined the scope of the .NET issue as of today. 

SecureAuth IdP: No IdP customers have reported issues with this patch, and our teams have been unable to reproduce any issues in our labs with this patch applied. 

Core Security / Courion AAS: Customer issues have been reported and removal of KB4338419 (Server 2012R2) has resolved the issue in all cases. 

Microsoft has since released two updates to the rollup hotfix patch, but they do not appear to address the issue impacting AAS. 

An update will be posted as soon as there is a material update from Microsoft.
 


Update 1
July 24, 2018 - Status Update #1

Core-SecureAuth is still investigating this issue, working closely with Microsoft. 

Microsoft has acknowledged material issues with the July rollup hotfix package and are going to be reissuing hotfixes to resolve those issues. Microsoft is still investigating the specific issues our teams have been able to replicate with this patch to determine the best course of action, which may result in an updated hotfix being released by Microsoft. 

We have also observed that by removing (only) KB4338419 for Server 2012R2, the issue is resolved. Therefore, customers can move forward and apply the July hotfix rollup patch, but then remove KB4338419 after installation. No testing has been done on 2012 or 2008r2 to verify the same resolution applies. 

An update will be posted as soon as there is a material update to report.
 

Summary:

Core Security has identified a recent Microsoft .NET security patch that renders Core Security / Courion AAS or Secure Reset inoperable.  The issue appears to be a problem where the Microsoft .NET service fails to function after the update, which appears to be a conflict between Microsoft updates.  This issue is not a defect or other incompatibility with Core Security / Courion AAS and the Windows software or update.   AAS cannot function if the Windows .NET service is not operable.  Note that not all customers or environments are affected, and our team has been unable to reproduce the issue as of today.  It is our understanding that this is an issue affecting many applications well outside of the Core-SecureAuth application set.
 
Problem definition:
  • The problem we are aware of renders AAS or Secure Reset inoperable and users get the following messages:
“Unable to process request at this time
An error occurred while processing your request.  The most likely cause of this error is a session timeout.
Error Line: 424
Error Source: Microsoft VBScript runtime error
Error Desc. Object required”
Web Page 500 error:
"An error occurred on the server when processing the URL. Please contact the system administrator. If you are the system administrator please click here to find out more about this error."
 
  • Event Viewer registers a fatal error when trying to start the .NET service 
Microsoft patches impacting AAS and .NET stability:
  • Windows Server 2012R2: KB 4338419
  • Windows Server 2012: KB 4338416
  • Windows Server 2008R2 and 2008(R1) :  KB 4338602
Immediate recommendations:
  • Disable Windows automatic updates for all Courion/AAS and all related servers (Web, Application and Connector servers)
  • Test any updates on a non-production server prior to moving the updates to production
  • Take virtual machine snapshots of the servers prior to running the latest Microsoft updates to allow you to revert to a known good state in case of failure 
If your system is currently affected:
  • Contact Core Security support or Microsoft support 
Follow-on actions:
  • The Core Security AAS team is working to determine the best solution for this issue through working with Microsoft and the Microsoft community.  We will send out additional notifications when we are able to determine how these Microsoft security updates can be installed in a stable manner.  Note that this issue may require Microsoft to provide an additional fix or further guidance.
If you have any questions or concerns regarding the new release, please do not hesitate to contact us at customersupport@coresecurity.com.
2 out of 2 found this helpful

Comments

0 comments

Article is closed for comments.