KB5019964 is the cumulative update for the November ‘Patch Tuesday’ project of Microsoft. This update covers Windows Server 2016 and Windows Server 2016 Server Core installation. We look at some significant points about KB5019964 below.
Salient points about KB5019964 cumulative update for Windows Server 2016
- KB5019964 is a cumulative update that supersedes October month’s cumulative update KB5018411. KB5018411 was released on October 11, 2022.
- KB5019964 also includes all the changes that are part of the OOB update or out-of-band update KB5020439. KB5020439 was released on October 18, 2022. If you have not deployed KB5020439 yet, you can skip it and install KB5019964 directly.
- If you are upgrading from KB5018411, you will be moving from server build 14393.5427 to 14393.5501.
- If you are upgrading after OOB update KB5020439, you will be moving from server build 14393.5429 to 14393.5501.
- Servicing Stack Update KB5017396 needs to be deployed on Windows Server 2016 before you install KB5019964.
- Windows Server 2016 is affected by 34 vulnerabilities. 7 of these have a ‘CRITICAL’ impact. Zero-day threat CVE-2022-41091 also affects Windows Server 2016. There are four zero-day threats that affect Windows Server 2016. Details of these vulnerabilities are shared in the table below.
You may read more about the previous month’s cumulative update KB5018411 for Windows Server 2016 on this page.
Vulnerabilities on Windows Server 2016 – KB5019964
As discussed above, Windows Server 2016 is affected by 34 vulnerabilities. Out of these, there are 7 vulnerabilities that have a ‘CRITICAL’ impact. Zero-day threat CVE-2022-41091 is an ‘IMPORTANT’ severity threat. However, it is publicly disclosed and attempts are being made to exploit it.
|CVE-2022-41039||Remote Code Execution||CRITICAL with CVSS score 8.1|
|CVE-2022-41088||Remote Code Execution||CRITICAL with CVSS score 8.1|
|CVE-2022-37966||Elevation of Privileges||CRITICAL with CVSS score 8.1|
|CVE-2022-38015||Denial of Service||CRITICAL with CVSS score 6.5|
|CVE-2022-37967||Elevation of Privileges||CRITICAL with CVSS score 7.2|
|CVE-2022-41128||Remote Code Execution||CRITICAL with CVSS score 8.8|
|CVE-2022-41118||Remote Code Execution||CRITICAL with CVSS score 7.5|
|CVE-2022-41091||Security Feature Bypass||IMPORTANT with CVSS score 6.5|
Zero-day vulnerability on Windows Server 2016 under KB5019966
The following four zero-day threats affect Windows Server 2016.
|CVE-2022-41091||Windows Mark of the Web Security Feature Bypass Vulnerability||5.4|
|CVE-2022-41125||Elevation of Privileges on Windows CNG Key Isolation Service.||7.8|
|CVE-2022-41128||Remote Code Execution on Windows Scripting Languages (only affects Windows Server 2016, does not affect Windows Server 2016 Server Core installation).||8.8|
|CVE-2022-41073||Elevation of Privileges on Windows Print Spooler.||7.8|
Issues and improvements in KB5019964 for Windows Server 2016
The following issues and improvements have been shared by Microsoft for KB5019964.
- It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. We will automatically raise the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
- It stops the start of daylight saving time in Jordan at the end of October 2022. The Jordan time zone will permanently shift to the UTC + 3 time zone.
- It address an issue that affects the Microsoft Azure Active Directory (AAD) Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is, “The handle specified is invalid (0x80090301).”
- It addresses an issue that affects the Forest Trust creation process. It fails to add the Domain Name System (DNS) name suffixes to the trust information attributes. This occurs after you install the January 11, 2022, or later updates.
- It addresses an issue that affects a domain controller (DC). The DC writes Key Distribution Center (KDC) event 21 in the System event log. This occurs when the KDC successfully processes a Kerberos Public Key Cryptography for Initial Authentication (PKINIT) authentication request using a self-signed certificate for key trust scenarios. This includes Windows Hello for Business and Device Authentication.
- It addresses an issue that affects the Microsoft Visual C++ Redistributable Runtime. It does not load into the Local Security Authority Server Service (LSASS) when you enable Protected Process Light (PPL).
- It addresses security vulnerabilities in the Kerberos and Netlogon protocols as outlined in CVE-2022-38023, CVE-2022-37966, and CVE-2022-37967. For deployment guidance, see the following:
- KB5020805: How to manage the Kerberos Protocol changes related to CVE-2022-37967
- KB5021130: How to manage Netlogon Protocol changes related to CVE-2022-38023
- KB5021131: How to manage the Kerberos Protocol changes related to CVE-2022-37966
Installing KB5019964 on Windows Server 2016
You can install KB5019964 in one of the following automated update processes:
- Windows Update
- Windows Update for Business
- WSUS or Windows Server Update Service
As part of the automated deployment of KB5019964, you will automatically get the Servicing Stack Update KB5017396 for implementation on the server.
You can also make use of an offline installer file to install on Windows Server 2016. The offline installer file is an MSU update file. Before installing the KB5019964 update through the MSU update file, you will also need to manually download and apply the ‘Servicing Stack Update’ KB5017396 on the server. Installing a Servicing Stack Update does not cause the server to reboot.
|Download Cumulative Update||Size of the update|
|Download KB5017396 – Servicing Stack Update for Windows Server 2016||11.8 MB|
|Download KB5019964 Cumulative Update for Windows Server 2016||1553.4 MB|
You can read about the Servicing Stack Update file details and the cumulative file details on the Microsoft Catalog Update page for KB5019964.
Before installing KB5019964, you may need to be aware that:
- KB5017396 will not cause a server reboot.
- KB5019964 will cause a server reboot.
As of writing this, there have been no adverse reports linked to the installation of KB5019964 on Windows Server 2016 or Windows Server 2016 Server Core installation.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.