KB5031361 is the cumulative update for Windows Server 2019 released on 10th October 2023. This update is part of the ‘Patch Tuesday’ update for Windows Server 2019.
Salient points
- KB5031361 has now been superseded by KB5032196. You can read more about KB5032196 on this page.
- KB5031361 is a cumulative update that supersedes the KB5030214 update released in September 2023.
- KB5030214 was released in September 2023. You can read more about KB5030214 on this page.
- KB5031361 corresponds to server build 17763.4974. You will upgrade from server build 17763.4851 of September 2023 when you upgrade from KB5030214 to KB5031361.
- KB5005112 is the Servicing Stack Update that needs to be deployed prior to installing KB5031361. This SSU or Servicing Stack Update was released in August 2021. So, there is a likelihood that it would be already deployed on the server.
- 78 security vulnerabilities have been disclosed for Windows Server 2019 as part of the October 2023 security bulletin released by Microsoft.
- 2 security vulnerabilities carry a CVSS score of 9.8 and have been shared in the vulnerabilities section below.
- 2 zero-day threats have been reported for Windows Server 2019 as part of the October 2023 security bulletin. These are shared in the vulnerabilities section below.
- 12 security vulnerabilities have a ‘CRITICAL’ severity level for Windows Server 2019. These are shared in the vulnerabilities section below.
Download KB5031361
KLB5031361 can be installed automatically through one of the following installation methods:
- Windows Update
- Windows Update for Business
- WSUS or Windows Server Update Service
WSUS remains the best method to roll out Windows updates automatically. If you install the patch automatically, the corresponding Servicing Stack Update is installed prior to installing the current month’s security update.
You could choose to install KB5031361 manually. For this, you will need to use a two-step process to install the cumulative update KB5031361 for October 2023 on Windows Server 2019.
- Download and install KB5005112 Servicing Stack Update
- Download and install KB5031361 cumulative update
Both updates can be downloaded as offline installer files. The offline installer files for SSU and Windows Update have an MSU file extension.
Below, we have shared the download links for the Servicing Stack Update and the Cumulative Update from the Microsoft Update Catalog and the direct download site.
Download KB5005112
You can download and install KB5005112 using one of the following approaches:
- Download KB5005112 Servicing Stack Update from Microsoft Update Catalog
- Direct Download link for KB5005112 for Windows Server 2019
This Servicing Stack Update file has a size of 13.8 MB. Upon installing the Servicing Stack Update, the server does not need a reboot or restart.
Download KB5031361
Like KB5005112, you can download KB5031361 from the Microsoft Update Catalog site. Or, you could use the direct download links given below to download the patch directly.
- Download KB5031361 from Microsoft Update Catalog
- Direct download link for KB5031361 for x64 systems for Windows Server 2019
The size of the offline installer file for KB5031361 is 616.3 MB. This update will cause a server reboot. Therefore, we strongly suggest deploying the software update as part of an organized change within the infrastructure.
Vulnerabilities
This month’s security bulletin reports 78 security vulnerabilities in Windows Server 2019. We have categorized and shared these threats below based on different criteria.
Zero-day threats
The following two vulnerabilities are zero-day threats. Zero-day threats are publicly disclosed vulnerabilities. Or, these threats have already been exploited by threat actors. Therefore, deployment of security update to resolve zero-day threats must be carried out on an immediate basis.
| CVE Vulnerability | Severity | CVSS Score | Impact | Comments |
|---|---|---|---|---|
| CVE-2023-36563 | IMPORTANT | 6.5 | Information Disclosure | Exploiting this vulnerability could allow the disclosure of NTLM hashes. |
| CVE-2023-44487 | IMPORTANT | 6.5 | Denial of Service | HTTP/2 Rapid Reset Attack |
Microsoft has also released a mitigation process to resolve CVE-2023-44487. For this, you can also set the limit of the RST_STREAMS per minute using the new registry key in this update.
| Registry key | Default value | Valid value range | Registry key function |
| Http2MaxClientResetsPerMinute | 500 | 0–65535 | Sets the allowed number of resets (RST_STREAMS) per minute for a connection. When you reach this limit, the connection ends. |
CRITICAL vulnerabilities
There are 12 security vulnerabilities with CRITICAL severity for Windows Server 2019. These threats are all of the types of ‘Remote Code Execution’. All these threats have been mentioned below.
It may be pertinent to mention a few important summary points for these vulnerabilities:
- All these 12 vulnerabilities have a ‘CRITICAL’ severity.
- These threats affect Microsoft Message Queuing and Layer 2 Tunneling protocol.
- All these 12 threats can cause ‘Remote Code Execution’ on the target servers.
| CVE Details | CVSS Score | Comments |
|---|---|---|
| CVE-2023-35349 | 9.8 | This vulnerability affects the Microsoft Message Queuing. Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute code on the target server. |
| CVE-2023-36697 | 6.8 | This vulnerability affects the Microsoft Message Queuing. Successful exploitation of this vulnerability could allow an authenticated domain user to remotely execute code on the target server |
| CVE-2023-36718 | 7.8 | This vulnerability could lead to a contained execution environment escape on the Microsoft Virtual Trusted Platform Module. |
| CVE-2023-41774 | 8.1 | This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. |
| CVE-2023-41773 | 8.1 | This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. |
| CVE-2023-41771 | 8.1 | This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. |
| CVE-2023-41770 | 8.1 | This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. |
| CVE-2023-41769 | 8.1 | This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. |
| CVE-2023-41768 | 8.1 | This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. |
| CVE-2023-41767 | 8.1 | This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. |
| CVE-2023-41765 | 8.1 | This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. |
| CVE-2023-38166 | 8.1 | This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. |
IIS Vulnerability
There is a CVSS 9.8 vulnerability on the IIS Server running on Windows Server 2019. This vulnerability has an IMPORTANT severity level. The details of the vulnerability are shared below:
| CVE Vulnerability | Severity | CVSS Score | Impact | Comments |
|---|---|---|---|---|
| CVE-2023-36434 | IMPORTANT | 9.8 | Elevation of Privileges | In a network-based attack, an attacker could brute force user account passwords to log in as that user. Microsoft suggests using complex or strong passwords to protect against this vulnerability. |
KB5031361 – Changelog
KB5031361 includes major changes and improvements for Windows Server 2019. The following changes are part of the KB5031361 update:
- New! This update completes the work to comply with the GB18030-2022 requirements. It removes and remaps characters for Microsoft Wubi input and Microsoft Pinyin U-mode input. You can no longer enter character codepoints that are not supported. All the required codepoints are up to date.
- New! This update adds Azure Arc Optional Component related links to Server Manager. Now, you can turn on Arc on your servers. You do not need to run a PowerShell script.
- This update changes the spelling of Ukraine’s capital from Kiev to Kyiv.
- This update addresses an issue that affects scheduled tasks. Tasks that call the credential manager API might fail. This occurs if you select [Run only when user is logged on] and [Run with highest privileges].
- This update addresses an issue that stops you from getting the IE mode windows list.
- This update addresses an issue that affects external binding. It fails. This occurs after you install Windows updates dated May 2023 or later. Because of this, there are issues that affect LDAP queries and authentication.
- This update addresses an issue that affects those who enable the “Smart Card is Required for Interactive Logon” account option. When RC4 is disabled, you cannot authenticate to Remote Desktop Services farms. The error message is, “An authentication error has occurred. The requested encryption type is not supported by the KDC.”
- This update addresses an issue that affects Kerberos delegation. It might fail in the wrong way. The error code is 0xC000006E (STATUS_ACCOUNT_RESTRICTION). This issue might occur when you mark the intermediate service account as “This account is sensitive and cannot be delegated” in Active Directory. Applications might also return the error message, “System.Security.Authentication.AuthenticationException: Failed to initialize security context. Error code was -2146893042.”
- This update affects Windows Filtering Platform (WFP) connections. The redirect diagnostics for them has improved.
- This update addresses an issue that affects a relying party. When you sign out of it, a SAML request cookie is not cleared. Because of this, your device automatically attempts to connect to the same relying party when you sign in again.
- This update addresses an issue that affects the Server Message Block (SMB) client. It does not reconnect all the persistent handles when the reauthentication of a session fails.
- To protect against CVE-2023-44487, you should install the latest Windows update. Based on your use case, you can also set the limit of the RST_STREAMS per minute using the new registry key in this update.
October 2023 Cumulative or Security Updates
You may also like to refer to the following cumulative updates or security updates released in October 2023:
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.