Monthly Security Patching for Fully-Managed Windows 2012+ servers - December 14, 2021
Posted by David Cunningham on 14 December 2021 07:16 PM
Purpose of Work:|
December's Patch Tuesday has arrived. While Microsoft (luckily) hasn't made as many waves in the news cycle as the Log4j vulnerability, there's still a few standouts that we consider alarming enough to justify same-night patching.
First up, we have an remote code execution vulnerability leveraging Microsoft Office ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43905 ), with no OS version specified; this is a vulnerability that seems to require user interaction, and is not yet seen as exploited in the wild. We'll be updating our RAS workloads accordingly.
Secondly, there's a number of elevation of privilege vulnerabilities this month: one leveraging NTFS on Server 2022 and Win 10 build 1909+ ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43240 ), and two on Server 2008+ that leverage the windows installer and print spooler, respectively. Of course, all elevation of privilege vulnerabilities inherently make other vulnerabilities far more dangerous (even something as simple as a compromised website, if your attacker is clever), so we'll be dealing with these tonight.
Third of all, there's a remote code execution vulnerability affecting sharepoint, version 2013+ (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42309 ). This vuln seems to require that a user exploiting it has the Manage Lists privilege, but if they do, they can create their own site with full permissions, and the capability of getting the server to do whatever they want. We have few supported sharepoint workloads, but we'll be reaching out to the relevant clients about this, shortly.
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.