KB5022289 Cumulative Update for Windows Server 2016 – January 2023

KB5022289 is the latest cumulative security update for Windows Server 2016 and Windows Server 2016 Server Core installation. The update has been released on 10th January as part of the ‘Patch Tuesday’ project of Microsoft.

Salient points about KB5022289 for Windows Server 2016

• KB5022838 is the cumulative update for February 2023. It replaces KB5022289 for Windows Server 2016.

• KB5022289 is a cumulative update that supersedes KB5021235. KB5021235 was released on 13th December 2022.

• KB5022289 corresponds to build version 14393.5648. KB5021235 corresponds to build version 14393.5582.

• KB5017396 is the Servicing Stack Update (SSU) that needs to be deployed alongside KB5022289. SSU will automatically get deployed if you are using one of the automated methods of deploying KB5022289.

• Between the last cumulative update of December 2022 and this month’s cumulative update, there has not been an out-of-band update for Windows Server 2016. So, the upgrade path for Windows Server 2016 and Windows Server 2016 Server Core installation is from KB5021235 to KB5022289.

• There have been 50 vulnerability disclosures as part of this month’s security bulletin for Windows Server 2016. 9 of these vulnerabilities have a ‘CRITICAL’ severity level. The remaining 41 vulnerabilities have an ‘IMPORTANT’ severity level.

• Zero-day vulnerabilities CVE-2023-21549 and CVE-2023-21674 affect Windows Server 2016 and Windows Server 2016 Server Core installation. These are resolved in KB5022289.

• You can install KB5022289 manually through offline installer files. The direct download links of the update are shared below for ready reference.

Download KB5022289 for Windows Server 2016

Before sharing the direct download links for KB5022289, we will like to mention that KB5022289 can be deployed automatically through one of the following methods:

• Windows Update
• Windows Update for Business
• WSUS or Windows Server Update Service

When KB5022289 is deployed in one of the automated ways, the SSU KB5017396 will also be automatically deployed prior to installing KB5022289.

Should you want to deploy manually, you can download the offline installer files for KB5022289. The offline installer files can be downloaded from the Microsoft Update Catalog. The offline installer files are available in MSU format.

The Microsoft Update catalog page for KB5022289 can be found here.

As mentioned above, KB5022289 should be deployed after KB5017396 Servicing Stack Update is installed. So, we will share direct download links for KB5017396 and KB5022289.

Cumulative Update/SSU Update	Download Update	Size of update
KB5017396	Download KB5017396	11.6 MB
KB5022289	Download KB5022289	1551.4 MB

There are two things that you may want to be aware of in respect of KB5017396:

• KB5017396 was released on 13th September 2022
• When you install KB5017396, there will be no server reboot

Vulnerabilities for Windows Server 2016 under KB5022289

There have been 50 vulnerabilities that have been disclosed for Windows Server 2016 in this month’s security bulletin. The zero-day threats and CRITICAL vulnerabilities are shared below for your ready reference.

CVE-2022-21549 and CVE-2022-21674 are the zero-day threats that affect Windows Server 2016.

CVE Number	Impact	Severity	CVSS Score	Comments
CVE-2023-21549	Elevation of Privilege	CRITICAL	8.8	Windows SMB Witness Service
CVE-2023-21674	Elevation of Privilege	CRITICAL	8.8	Windows Advanced Local Procedure Call (ALPC)
CVE-2023-21535	Remote Code Execution	CRITICAL	8.1	Windows Secure Socket Tunneling Protocol (SSTP)
CVE-2023-21543	Remote Code Execution	CRITICAL	8.1	Windows Layer 2 Tunneling Protocol (L2TP)
CVE-2023-21546	Remote Code Execution	CRITICAL	8.1	Windows Layer 2 Tunneling Protocol (L2TP)
CVE-2023-21548	Remote Code Execution	CRITICAL	8.1	Windows Secure Socket Tunneling Protocol (SSTP)
CVE-2023-21555	Remote Code Execution	CRITICAL	8.1	Windows Layer 2 Tunneling Protocol (L2TP)
CVE-2023-21556	Remote Code Execution	CRITICAL	8.1	Windows Layer 2 Tunneling Protocol (L2TP)
CVE-2023-21561	Elevation of Privilege	CRITICAL	8.8	Microsoft Cryptographic Services
CVE-2023-21679	Remote Code Execution	CRITICAL	8.1	Windows Layer 2 Tunneling Protocol (L2TP)
CVE-2023-21730	Elevation of Privilege	CRITICAL	7.8	Microsoft Cryptographic Services

Changelog – KB5022289 for Windows Server 2016

KB5022289 contains issue fixes and improvements for Windows Server 2016. The details of the changes that are part of KB5022289 are shared hereunder:

• New! This update provides the Quick Assist application for your client device.
• This update addresses an issue that might affect authentication. It might fail after you set the higher 16-bits of the msds-SupportedEncryptionTypes attribute. This issue might occur if you do not set the encryption types or you disable the RC4 encryption type on the domain.
• This update addresses an issue that affects cluster name objects (CNO) or virtual computer objects (VCO). Password reset fails. The error message is, “There was an error resetting the AD password… // 0x80070005”.
• This update introduces a Group Policy that enables and disables HTML Application (HTA) files. If you enable this policy, it stops you from running HTA files. If you disable or do not configure this policy, you can run HTA file. To configure this Group Policy:
  • Open the Group Policy Editor.
  • Select Computer Configuration > Administrative Templates > Windows Components > Internet Explorer.
  • Double-click Turn on DisableHTMLApplication.
  • Select Enabled.
  • To save the policy setting, select OK or Apply.
• This update addresses a known issue that affects apps that use Microsoft Open Database Connectivity (ODBC) SQL Server Driver (sqlsrv32.dll) to connect to databases. The connection might fail. You might also receive an error in the app, or you might receive an error from the SQL Server.

You can read more about issue fixes on KB5022289 release notes shared by Microsoft.