SharePoint workflows stop working after you install .NET security updates for CVE-2018-8421

Symptoms


After any of the September 2018 .NET Framework security updates to resolve CVE-2018-8421 (.NET Framework Remote Code Execution Vulnerability) are applied, SharePoint out-of-the-box workflows stop working. When the problem occurs, an error that resembles the following is logged:

<Date> <Time> w3wp.exe (0x1868) 0x22FC SharePoint Foundation Workflow Infrastructure 72fsUnexpected RunWorkflow: Microsoft.SharePoint.SPException: <Error><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1"…

The error suggests that System.CodeDom.CodeBinaryOperatorExpression is not included in the authorized types.

For more information about the September .NET Security updates, go to this Microsoft blog page.

Cause


Workflow Foundation (WF) will only run workflows when all dependent types and assemblies are authorized in the .NET config file (or added explicitly through code) under the following tree:

<configuration>

<System.Workflow.ComponentModel.WorkflowCompiler>

<authorizedTypes>

<targetFx>

However, after the update, some types that are used by SharePoint out-of-box workflows that were not previously required are now required.

Resolution

The official KB is here and MSFT blog post is here

December 2017 CU for SharePoint Server 2016 is available for download

Product group released Cumulative Update and it is available for download.

  • KB 4011576 — December 2017 Update for SharePoint Server 2016 language independent and security update (build number 16.0.4627.1000)
  • KB 4011578 — December 2017 Update for SharePoint Server 2016 language dependent fixes (build number 16.0.4627.1000)
  • KB 4011020 — December 2017 Update for Office Online Server 2016 and security update

Direct link to download updates Continue reading

November 2017 CU for SharePoint Server 2016 is available for download

Product group released Cumulative Update and it is available for download.

  • KB 4011244 – SharePoint Server 2016 language independent and security update (build number 16.0.4615.1000)
  • KB 4011243 – SharePoint Server 2016 language dependent fixes (build number 16.0.4615.1000)

Direct link to download updates

Note: Install both fixes to fully patch a SharePoint server.

Please run SharePoint 2016 Products Configuration Wizard on every server on the farm.

You could use the SharePoint Server 2016 Patch Build Numbers Powershell Module to identify the patch level of all SharePoint components.

Накопительный пакет обновлений для SharePoint 2016 (ноябрь 2017)

Новый накопительный пакет обновлений для SharePoint 2016 доступен для загрузки

  • KB 4011244 – SharePoint Server 2016 для обновления настроек безопасности (номер сборки 16.0.4615.1000)
  • KB 4011243 – SharePoint Server 2016 для обновления языковых пакетов (номер сборки 16.0.4615.1000)

Прямая ссылка для загрузки обновлений

Важно! Необходимо установить оба исправления для полного исправления сервера SharePoint.

После установки обновлений не забудьте запустить SharePoint Configuration Wizard на каждом сервере фермы.

Чтобы определить уровень патча для всех компонентов SharePoint, Вы можете использовать SharePoint Server 2016 Patch Build Numbers Powershell Module.

October 2017 CU for SharePoint Server 2016

cumulativeupdate

Product group released Cumulative Update and it is available for download

  • KB 4011217 — SharePoint Server 2016 language independent (build number 16.0.4600.1000)
  • KB 4011161 — SharePoint Server 2016 language dependent fixes (build number 16.0.4600.1000)
  • KB 3213659 — Office Online Server 2016 (language dependent fixes)

Direct link to download updates

Please run SharePoint Configuration Wizard aka PSConfig on every server on the farm.

You could use this PowerShell script in order to determine your SharePoint farm patch level.

Note: Install cumulative updates into test environment first and just in order to keep your production first. If update deployment was okay, then continue with a production environment. In any case, it will be nice to have backups.

Накопительный пакет обновлений для SharePoint 2016 (октябрь 2017)

cumulativeupdate

Очередной накопительный пакет обновлений для SharePoint 2016 доступен для загрузки

  • KB 4011217 — SharePoint Server 2016 (номер сборки 16.0.4600.1000)
  • KB 4011161 — SharePoint Server 2016 для обновления языковых пакетов (номер сборки 16.0.4600.1000)
  • KB 3213659 — Office Online Server 2016 (номер сборки 16.0.4600.1000)

Прямая ссылка для загрузки обновлений

После установки обновлений не забудьте запустить SharePoint Configuration Wizard на каждом сервере фермы.

Особенность данного накопительного обновления в том что он не обновляет схему конфигурационной базы данных. Поэтому вы можете использовать этот PowerShell скрипт для идентификации версии вашей фермы.

Важно! Устанавливайте обновления сначала в тестовых окружениях, чтобы не испортить «боевые». И даже в этом случае не забывайте про резервные копии.

September 2017 CU for SharePoint Server 2016

cumulativeupdate

Product group released February 2017 Cumulative Update and it is available for download

  • KB 4011127 — SharePoint Server 2016 language independent (build number 16.0.4588.1001)
  • KB 4011112 — SharePoint Server 2016 language dependent fixes (build number 16.0.4588.1001)
  • KB 3213658 — Office Online Server 2016 (language dependent fixes)

Direct link to download updates

Please run SharePoint Configuration Wizard aka PSConfig on every server on the farm.

You could use this PowerShell script in order to determine your SharePoint farm patch level.

Note: Install cumulative updates into test environment first and just in order to keep your production first. If update deployment was okay, then continue with a production environment. In any case, it will be nice to have backups.