KB5016622 Cumulative Update for Windows Server 2016 – August 9, 2022

KB5016622 is the latest cumulative update for Windows Server 2016. The update has been released as part of the ‘Patch Tuesday’ project on 9th August, 2022. KB5016622 is valid for Windows Server 2016 and the Windows Server 2016 Server Core installation. We review the key points about KB5016622 for Windows Server 2016 and Windows Server 2016 Server Core.

KB5017305 is the cumulative update for Windows Server 2016 for September 2022. You can read more about KB5017305 on this page.

Salient Points about KB5016622 for Windows Server 2016

• KB5016622 is a cumulative update that supersedes KB5015808 cumulative update.
• KB5015808 was released as the cumulative update for Windows Server 2016 on 12th July 2022 as part of July series of ‘Patch Tuesday’ updates.
• KB5017095 is the latest Servicing Stack Update that needs to be installed alongside KB5016622.
• Zero-day vulnerability CVE-2022-34713 affects Windows Server 2016 and Windows Server 2016 Server Core installation. The vulnerability has been mitigated in KB5016622 cumulative update.
• The size of the MSU update file for KB5016622 is 1551.2 MB.
• Other vulnerabilities of concern for Windows Server 2016 and Windows Server 2016 Server Core Installation are: CVE-2022-35793, CVE-2022-35761, CVE-2022-35756, CVE-2022-35755, CVE-2022-35751 and CVE-2022-35750. Details of these vulnerabilities are listed in the vulnerability section below.
• The latest build after applying KB5016622 on Windows Server 2016 is 10.0.14393.5291.

Prerequisites for installing KB5016622 on Windows Server 2016

KB5016622 supersedes KB5015808 cumulative update. There are no specific prerequisites for installing KB5016622. However, the latest Servicing Stack Update KB5017095 needs to be deployed as part of the deployment process of the latest cumulative update.

• KB5017095 is offered to you automatically as part of the deployment process of KB5016622 on Windows Server 2016 or Windows Server 2016 Server Core installation. So, if you are applying the update through Windows Update or WSUS, you should get the SSU KB5017095 as part of the normal update process.

• If you are using Microsoft Update Catalog for installing KB5016622 on Windows Server 2016 or Windows Server 2016 Server Core installation, you will need to apply KB5017095 manually. KB5017095 can be downloaded from the Microsoft Update Catalog page for KB5017095. The size of the update file for KB5017095 is 11.6 MB.

• Servicing Stack Updates do not cause the servers to restart. However, the mainline KB5016622 cumulative update may cause the server to restart. Therefore, deployment of KB5016622 should be ideally planned as part of an organized change.

KB5015808 Cumulative Security Update for Windows Server 2016 – released July 12

Read more about previous month’s cumulative update for the Windows Server 2016 and Windows Server 2016 Server Core installation.

Vulnerabilities addressed in KB5016622 for Windows Server 2016 and Windows Server 2016 Server Core

The following vulnerabilities affect Windows Server 2016 and Windows Server 2016 Server Core installation.

CVE-2022-34713 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. This is a zero-day vulnerability with a CVSS rating of 7.8. The vulnerability has already been exploited by attackers.

CVE-2022-35793 – Windows Print Spooler Elevation of Privilege Vulnerability. This vulnerability has a CVSS rating of 7.3 One of the workarounds suggested by Microsoft involved disabling the print spooler service for remote inbound printing tasks.

CVE-2022-35761 – Windows Kernel Elevation of Privilege Vulnerability. This vulnerability has a CVSS rating of 8.4 and could lead an attacker to gain SYSTEM privileges on the exploited target machines.

CVE-2022-35756 – Windows Kerberos Elevation of Privilege Vulnerability. This vulnerability has a CVSS score of 7.8 and the attacker could assume domain administrator privileges.

CVE-2022-35755 – Windows Print Spooler Elevation of Privilege Vulnerability. This vulnerability has a CVSS rating of 7.3 and the workaround suggested is to disable the print spooler service on the server.

CVE-2022-35751 – Windows Hyper-V Elevation of Privilege Vulnerability – This vulnerability has a CVSS score of 7.8 and could cause the attacker to gain SYSTEM privileges. However, the attack complexity for the vulnerability is complex.

CVE-2022-35750 – Win32k Elevation of Privilege Vulnerability – This vulnerability has a CVSS score of 7.8 and could cause an attacker to gain SYSTEM privileges.

All these vulnerabilities carry enhanced security risk threats for Windows Server 2016 and Windows Server 2016 Server Core installation.

How can I deploy KB5016622 on Windows Server 2016?

KB5016622 for Windows Server 2016 and Windows Server 2016 Server Core installation can be deployed through all the regular methods of Windows Updates.

• KB5016622 can be installed on Windows Server 2016 through Windows Update.
• You can deploy KB5016622 on Windows Server 2016 through Microsoft Windows Update for Business.
• KB5016622 can also be imported through WSUS or Windows Server Update Service.
• KB5016622 can be installed manually through the Microsoft Update Catalog. You can download KB5016622 for Windows Server 2016 and Windows Server 2016 Server Core through the Microsoft Update catalog page for KB5016622. This size of the update file is 1551.2 MB. You will also need to deploy KB5017095 SSU before installing KB5016622. KB5017095 can be downloaded from this page.

Since KB5016622 is a cumulative update, you may plan for a change ticket to install the update. The server may restart as part of the update process.

Bug fixes and improvements in KB5016622 for Windows Server 2016

The following improvements are part of the KB5016622 for Windows Server 2016 and Windows Server 2016 Server Core installation:

• Addresses an issue that prevents certain troubleshooting tools from opening.
• Addresses an issue that prevents the Key Distribution Center (KDC) Proxy from properly receiving Kerberos tickets for Key Trust Windows Hello for Business credentials.
• Addresses an issue that causes the KDC code to incorrectly return the error message “KDC_ERR_TGT_REVOKED” during domain controller shutdown.
• Addresses an issue that might cause the Local Security Authority Server Service (LSASS) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 or later.
• Enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, Active Directory domain controllers will not authenticate them. Mitigations that allowed non-compliant devices to authenticate will not exist after August 9, 2022. 

Summary

KB5016622 for Windows Server 2016 supersedes KB5015808 for Windows Server 2016 and Windows Server 2016 Server Core installation. The two things you need to pay special attention to are:

• CVE-2022-34713 is a zero-day threat that can be patched through KB5016622.
• KB5017095 SSU needs to be deployed as part of the deployment process of KB5016622.

Aside from these two points, KB5016622 does ring in improvements and bug fixes as part of the regular update process.