KB5014699 Cumulative Update for Windows Server 20H2 (Server Core Installation)

KB5014699 is the cumulative security update for Windows Server 20H2 (Server Core) installation. It supersedes May month’s cumulative security update KB5013942. We look at the important factors and points of the KB5014699 cumulative update.

Content in this post:

1. Salient points about KB5014699 for Windows Server 20H2 Server Core Installation
2. KB5014699 – Vulnerabilities in Windows Server 20H2 version
3. Prerequisites for installing KB5014699 on Windows Server 20H2 (Server Core Installation)
4. How can I deploy KB5014699 on Windows Server 20H2 (Server Core Installation)
5. Summary

Salient points about KB5014699 for Windows Server 20H2 Server Core Installation

• KB5014699 is a cumulative update for Windows Server 20H2 Server Core installation.
• It supersedes the KB5013942 cumulative update for the month of May 2002.
• KB5014699 also includes all the changes that are part of the out-of-band update KB5015020. The out-of-band update was released on the 19th May. If you have not deployed the OOB update KB5015020 yet, you can skip it. You can deploy KB5014699 directly as it contains all the changes of the OOB update.
• KB5014699 also fixes CVE-2022-30139, CVE-2022-30163 and CVE-2022-30190.
• There are specific requirements for patching KB5014699 on Windows Server 20H2. Do check the prerequisites section for details.
• It is also important to follow the process suggested by Microsoft to patch KB5014699. There are chances that you may end up with machine certificate authentication issues on the server.

We look at the vulnerabilities and prerequisites for installing KB5014699 below.

KB5014699 – Vulnerabilities in Windows Server 20H2 version

CVE-2022-30190 – Microsoft System Diagnostics Tool

• CVE-2022-30190 is a zero-day vulnerability that is publicly disclosed and is being exploited.
• CVE-2022-30190 has a CVSS rating of 7.8.
• The issue happens when the MSDT is called using the URL protocol. It can lead to remote code execution or arbitrary code execution on the target machine.
• The attacker will need local access to the server to deploy and execute code on the target server.
• CVE-2022-30190 is patched in KB5014699 for Windows Server 20H2 (Server Core Installation). An alternative approach involves disabling the MSDT from being called through URL protocol. Details about disabling MSDT on Windows Server are available on Microsoft’s blog entry.

CVE-2022-30139 – Windows LDAP

• CVE-2022-30139 is a critical vulnerability with a CVSS score of 7.5.
• It affects Windows Lightweight Directory Access Protocol or LDAP.
• The attack complexity for CVE-2022-30139 is AC: H or complex.
• The vulnerability affects servers in which the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.
• The vulnerability is patched in KB5014699 for Windows Server 20H2 (Server Core Installation).

CVE-2022-30163 – Windows Hyper V

• CVE-2022-30163 is a critical vulnerability with a CVSS rating of 8.5.
• The vulnerability allows an attacker to cause remote code execution by targeting the Windows Hyper V operating system.
• The attacker can get low-level access to the compromised server.
• Using malicious code deployment on Hyper V guest, the attacker could run arbitrary code on the Hyper V operating system.
• The threat is resolved in KB5014699 on Windows Server 20H2 (Server Core Installation).

Apart from these 3 vulnerabilities, Microsoft has shared 60 vulnerabilities as part of June month’s security updates for all the Windows versions. Not all of these threats affect Windows Server 20H2 (Server Core Installation).

Prerequisites for installing KB5014699 on Windows Server 20H2 (Server Core Installation)

For updates through offline OS image:

• If you intend to deploy KB5014699 through an offline OS image, you will need KB5011543 cumulative update or later cumulative update. If this is not possible, you can deploy SSU KB5014032 before deploying KB5014699.
• You can download KB5011543 from the Microsoft Update Catalog page for KB5011543 for Windows Server 20H2 (Server Core Installation). The size of the update file for KB5011543 is 661 MB for x64 and 689.7 MB for ARM64 platforms.
• If you are unable to deploy KB5011543 or later cumulative update, you can download SSU KB5014032 from the Microsoft Update Catalog page for KB5014032. The size of the update files for the x64 platform and ARM64 platform is less than 20 MB.

For updates through WSUS or Microsoft Update Catalog

If you intend to use WSUS or Microsoft Update Catalog for installing KB5014699, you need to have either of the two updates shared below:

• KB5003173 cumulative update or a later cumulative update needs to be deployed on the Windows Server 20H2 (Server Core Installation). It was released in May 2021. You can download KB5003173 from the Microsoft Update Catalog page. The update file for the x64 system is 572.6 MB and the size of the update file for ARM64 systems is 618.3 MB.
• If you are unable to install the cumulative update kB5003173 or later, you can install SSU KB5005260 from August 2021. You can download KB5005260 from the Microsoft Update Catalog page. The size of the SSU update file is less than 15 MB for each x64 or ARM64 system.

Apart from these prerequisites, you will need to take adequate care to prevent machine certificate authentication issues on Windows Server 20H2.

• To prevent machine certificate authentication issues, the intermediate and application servers need to be patched with KB5014699 before the domain controllers are patched.
• Alternatively, you can create a registry entry value under CertificateMappingMethods to 0x1F before deploying KB5014699. Once the registry value is created, you can deploy KB5014699. Post-deployment of KB5014699, the registry value under CertificateMappingMethods can be removed. You can read more about the machine certificate authentication issues discussed in KB5014754.

It is important to take one of these two steps to prevent machine certificate authentication issues.

How can I deploy KB5014699 on Windows Server 20H2 (Server Core Installation)

KB5014699 cumulative update can be deployed through all the regular channels of Windows Update.

• KB5014699 can be deployed using Windows Update on Windows Server 20H2.
• KB5014699 can be deployed using the Microsoft Update for Business on Windows Server 20H2.
• WSUS can be used to import and deploy KB5014699 on Windows Server 20H2.
• You can download the KB5014699 update for Windows Server 20H2 (Server Core Installation) from the Microsoft Update Catalog page. The size of the update file for the x64 platform is 677.5 MB and the size of the update file for ARM64 is 704.7 MB.

Summary

KB5014699 supersedes KB5013942 and KB5015020. It can be deployed through all the regular means of Windows Update. Do look at the specific prerequisites for installing KB5014699. KB5014699 also resolved the zero-day vulnerability CVE-2022-30190 on MSDT or Microsoft Systems Diagnostic Tool.

You may also like to read more content related to June updates for Microsoft Windows Servers in the below-mentioned pages:

• KB5014738 cumulative monthly rollup for Windows Server 2012 R2
• KB5014747 monthly rollup cumulative update for Windows Server 2012
• KB5014678 Cumulative Update for Windows Server 2022
• KB5014692 Cumulative Update for Windows Server 2019
• KB5014702 Cumulative Update for Windows Server 2016 – June 2022
• KB5014741 Security Update for Windows Server 2012
• KB5014746 Security Update for Windows Server 2012 R2