KB509304 is the security-only update for Windows Server 2012 R2. The update was released on 8th August 2023 as part of the ‘Patch Tuesday’ project.
Salient points
- KB5029304 is a standalone security update. You must deploy all the previous security updates for complete security coverage on the server. In July 2023, KB5028223 was released as the security-only update for Windows Server 2012 R2.
- KB5029304 has been succeeded by the September 2023 security update KB5030287. You can read more about KB5030287 on this page.
- You could deploy KB5029312 monthly rollup update instead of the security-only update KB5029304. KB5029312 is more comprehensive and includes all changes that are part of the KB5029304 security-only update.
- KB5029368 is the Servicing Stack Update that corresponds to KB5029304 and KB5029312. You will need to deploy the SSU before deploying KB5029304 or KB5029312.
- You will also need to deploy KB5029243 cumulative update for Internet Explorer before installing KB5029304.
- The issue with language packs affects Windows Server 2012 R2. If you install a language pack after installing the security-only update KB5029304, you will need to redeploy the security update.
- Windows Server 2012 R2 is affected by 25 security vulnerabilities as per the latest security bulletin for August 2023 released by Microsoft.
- 3 of these security vulnerabilities carry a CVSS score of 9.8 and cause a ‘Remote Code Execution’ impact on the server. All these CRITICAL vulnerabilities are shared below in the vulnerabilities section.
Download KB5029304
KB5029304 is a security-only update. It can be deployed on the server using WSUS or Windows Server Update Service.
For manual installation of KB5029304, you will need to download the offline installer file.
You can download the offline installer file in .msu format. This file can be downloaded from the Microsoft Update Catalog or through a direct download link.
Installing KB5029304 manually will be a three-step process.
- Download and install Servicing Stack Update KB5029368.
- Download and install Cumulative Update for Internet Explorer KB5029243.
- Download and install KB5029304 security update for Windows Server 2012 R2.
We have shared the Microsoft Update Catalog links and direct download links for all these updates below.
Download Servicing Stack Update KB5029368
The Servicing Stack Update file has a size of 10.5 MB. Upon installing KB5029368, the server will not reboot.
Download Cumulative Update KB5029243 for Internet Explorer 11
The cumulative update file for KB5029243 has a size of 55 MB.
Download Security Update for KB5029304
KB5029304 can also be downloaded from the Microsoft Update Catalog site or through the direct download link below.
The size of the KB5029304 update file has a size of 38.6 MB.
You need to plan for the server reboot after installing KB5029304. So, we recommend installing the KB5029304 security update in an organized change to the IT infrastructure.
Vulnerabilities
The three security vulnerabilities with CRITICAL severity levels with a CVSS score of 9.8 are shared below:
| CVE Details | CVSS Score | Impact | Affected component | Description |
|---|---|---|---|---|
| CVE-2023-35385 | 9.8 | CRITICAL | Microsoft Message Queuing | Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute code on the target server. |
| CVE-2023-36911 | 9.8 | CRITICAL | Microsoft Message Queuing | Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute code on the target server. |
| CVE-2023-36910 | 9.8 | CRITICAL | Microsoft Message Queuing | To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side. |
KB5029304 – Changelog
KB5029304 security update includes the following improvement:
- Kerberos constrained delegation (KCD) might fail with the error message KRB_AP_ERR_MODIFIED on read/write domain controllers after installing the November 2022 security updates.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.