KB5019964 Cumulative Update for Windows Server 2016

KB5019964 is the cumulative update for the November ‘Patch Tuesday’ project of Microsoft. This update covers Windows Server 2016 and Windows Server 2016 Server Core installation. We look at some significant points about KB5019964 below.

Salient points about KB5019964 cumulative update for Windows Server 2016

  • KB5019964 is a cumulative update that supersedes October month’s cumulative update KB5018411. KB5018411 was released on October 11, 2022.
  • KB5019964 also includes all the changes that are part of the OOB update or out-of-band update KB5020439. KB5020439 was released on October 18, 2022. If you have not deployed KB5020439 yet, you can skip it and install KB5019964 directly.
  • If you are upgrading from KB5018411, you will be moving from server build 14393.5427 to 14393.5501.
  • If you are upgrading after OOB update KB5020439, you will be moving from server build 14393.5429 to 14393.5501.
  • Servicing Stack Update KB5017396 needs to be deployed on Windows Server 2016 before you install KB5019964.
  • Windows Server 2016 is affected by 34 vulnerabilities. 7 of these have a ‘CRITICAL’ impact. Zero-day threat CVE-2022-41091 also affects Windows Server 2016. There are four zero-day threats that affect Windows Server 2016. Details of these vulnerabilities are shared in the table below.

You may read more about the previous month’s cumulative update KB5018411 for Windows Server 2016 on this page.

Vulnerabilities on Windows Server 2016 – KB5019964

As discussed above, Windows Server 2016 is affected by 34 vulnerabilities. Out of these, there are 7 vulnerabilities that have a ‘CRITICAL’ impact. Zero-day threat CVE-2022-41091 is an ‘IMPORTANT’ severity threat. However, it is publicly disclosed and attempts are being made to exploit it.

VulnerabilityImpactSeverity
CVE-2022-41039Remote Code ExecutionCRITICAL with CVSS score 8.1
CVE-2022-41088Remote Code ExecutionCRITICAL with CVSS score 8.1
CVE-2022-37966Elevation of PrivilegesCRITICAL with CVSS score 8.1
CVE-2022-38015Denial of ServiceCRITICAL with CVSS score 6.5
CVE-2022-37967Elevation of PrivilegesCRITICAL with CVSS score 7.2
CVE-2022-41128Remote Code ExecutionCRITICAL with CVSS score 8.8
CVE-2022-41118Remote Code ExecutionCRITICAL with CVSS score 7.5
CVE-2022-41091Security Feature BypassIMPORTANT with CVSS score 6.5

Zero-day vulnerability on Windows Server 2016 under KB5019966

The following four zero-day threats affect Windows Server 2016.

VulnerabilityImpactSeverity
CVE-2022-41091Windows Mark of the Web Security Feature Bypass Vulnerability5.4
CVE-2022-41125Elevation of Privileges on Windows CNG Key Isolation Service.7.8
CVE-2022-41128Remote Code Execution on Windows Scripting Languages (only affects Windows Server 2016, does not affect Windows Server 2016 Server Core installation).8.8
CVE-2022-41073Elevation of Privileges on Windows Print Spooler.7.8

Issues and improvements in KB5019964 for Windows Server 2016

The following issues and improvements have been shared by Microsoft for KB5019964.

  • It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. We will automatically raise the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
  • It stops the start of daylight saving time in Jordan at the end of October 2022. The Jordan time zone will permanently shift to the UTC + 3 time zone.
  • It address an issue that affects the Microsoft Azure Active Directory (AAD) Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is, “The handle specified is invalid (0x80090301).”
  • It addresses an issue that affects the Forest Trust creation process. It fails to add the Domain Name System (DNS) name suffixes to the trust information attributes. This occurs after you install the January 11, 2022, or later updates.
  • It addresses an issue that affects a domain controller (DC). The DC writes Key Distribution Center (KDC) event 21 in the System event log. This occurs when the KDC successfully processes a Kerberos Public Key Cryptography for Initial Authentication (PKINIT) authentication request using a self-signed certificate for key trust scenarios. This includes Windows Hello for Business and Device Authentication.
  • It addresses an issue that affects the Microsoft Visual C++ Redistributable Runtime. It does not load into the Local Security Authority Server Service (LSASS) when you enable Protected Process Light (PPL).
  • It addresses security vulnerabilities in the Kerberos and Netlogon protocols as outlined in CVE-2022-38023, CVE-2022-37966, and CVE-2022-37967. For deployment guidance, see the following:
    • KB5020805: How to manage the Kerberos Protocol changes related to CVE-2022-37967
    • KB5021130: How to manage Netlogon Protocol changes related to CVE-2022-38023
    • KB5021131: How to manage the Kerberos Protocol changes related to CVE-2022-37966

Installing KB5019964 on Windows Server 2016

You can install KB5019964 in one of the following automated update processes:

  • Windows Update
  • Windows Update for Business
  • WSUS or Windows Server Update Service

As part of the automated deployment of KB5019964, you will automatically get the Servicing Stack Update KB5017396 for implementation on the server.

You can also make use of an offline installer file to install on Windows Server 2016. The offline installer file is an MSU update file. Before installing the KB5019964 update through the MSU update file, you will also need to manually download and apply the ‘Servicing Stack Update’ KB5017396 on the server. Installing a Servicing Stack Update does not cause the server to reboot.

Download Cumulative UpdateSize of the update
Download KB5017396 – Servicing Stack Update for Windows Server 201611.8 MB
Download KB5019964 Cumulative Update for Windows Server 20161553.4 MB

You can read about the Servicing Stack Update file details and the cumulative file details on the Microsoft Catalog Update page for KB5019964.

Before installing KB5019964, you may need to be aware that:

  • KB5017396 will not cause a server reboot.
  • KB5019964 will cause a server reboot.

As of writing this, there have been no adverse reports linked to the installation of KB5019964 on Windows Server 2016 or Windows Server 2016 Server Core installation.