September Windows Update .Net Security Patches – Workflows Stop Working
How many IT admins get really excited for that 1 day every month called “Patch Tuesday?” If I was asked to provide a number off the top of my head I would say 25 to 30 percent. If asked why I would say because those 25 to 30 percent need the job security that the patches provide. My company does a fair amount of Managed Services and with this comes the due diligence of reading up: on updates that will be pushed down, the impact they may have and any Pre-Reqs. And yet, even with research and planning, there are some that you just can’t account for. This brings me to the latest and greatest issue that is affecting anyone who has patched their SharePoint servers in the last week.
No worries! Microsoft is aware of the issue and actively working on an overall resolution, as currently, it is affecting SharePoint 2010, 2013 and 2016’s native and 3rd party workflow applications. When the issue initially occurred a 1 line fix to the web.config was the resolution. Later on in the day, that 1 turned into 7 lines and then at about 2 am this morning I noticed an 8th line needed to be added (for 3rd party workflow) and a note stating that this would be the “LAST” addition to the authorized types to resolve the workflow issues. You can find the original blog post here.
Update As of 1:30 AM – 9/20/18
I had a couple repeat customers that continued to have different, but in some aspects, similar issues with their Workflows. Ranged from not starting, timer jobs stuck in pause, workflow emails not routing properly, the list goes on. Some had all of these issues, some had just a few, either way, new issues arose involving workflows. After working with Microsoft for many hours, I was told that the patches are causing a lot more issues than originally thought and I was to remove the following KB’s KB4457056, KB4457026, KB4457045, KB4457034. Once I did so on the clients with issues last night\this morning saw all issues cease and all was working accordingly.
I talked with one of the individuals on the team working on this issue and I was told a few things that we need to be aware of or take precautions. First, is to tell clients to disable automatic updates and/or not install anything .Net related or the KB’s mentioned above. There is no ETA on the overall fix so I would disable, etc. for the next 2 to 3 months.
I asked if they were going to pull .Net updates and related KB’s from the mix and I was told yes, they have done so, but again they advised me to disable and not do updates. To me, that means “we hope we got them” so just to be safe DON’T DO IT. At this time, there is no idea when all the .Net issues will be fixed, but they stated no more would be released until ALL the issues are resolved.
I have been added to a list that will allow me to receive any updates that come up in regards to this issue so I will make sure I spread the word as I learn more.
Even though Microsoft provided me with the information above, I wanted to share the updates to the original blog that was posted with information I found along the way or encountered. If you have any questions or issues, feel free to reach out.
Example Errors
After applying .NET Security Only patch to resolve CVE-2018-8421 (Remote Code Execution Vulnerability) , all SharePoint out of the box and 3rd party Workflows fail to execute and the log and pop-up error window will show errors similar to the following:
CodeTypeReferenceExpression:
Server was unable to process request. —> Failed to publish workflow: <Error><CompilerError Line=”-1″ Column=”-1″ Text=”Type System.CodeDom.CodeTypeReferenceExpression is not marked as authorized in the application configuration file.” /><CompilerError Line=”0″ Column=”0″ Text=”Activity ac0ef280fa5bf43bfa22b5644eac95359″ validation failed: Property &fquote;Condition" has invalid value. Condition expression is invalid. Target object for method "Compare" can not be null.”/></Error>
CodeThisReferenceExpression
What the 2 errors above mean is that neither the “CodeTypeReferenceExpression” nor “CodeThisReferenceExpression” are not listed in authorized types which is a section within the web.config file for all Web Applications.
Cause
Workflow Foundation (WF) will only run workflows when all the dependent types and assemblies are authorized in the .NET config file (or added explicitly via code) under this tree (2013 – 2019):
<configuration>
<System.Workflow.ComponentModel.WorkflowCompiler>
<authorizedTypes>
<targetFx> – (This does not exist for 2007 or 2010)
The following lines are necessary for SharePoint 2013, 2016 and 2019:
<authorizedType Assembly=”System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeBinaryOperatorExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodePrimitiveExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeMethodInvokeExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeMethodReferenceExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeFieldReferenceExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeThisReferenceExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodePropertyReferenceExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeTypeReferenceExpression” Authorized=”True” /> (Add for 3rd party workflows)
For SharePoint 2007 and 2010, use these lines:
<authorizedType Assembly=”System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeBinaryOperatorExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodePrimitiveExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeMethodInvokeExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeMethodReferenceExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeFieldReferenceExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeThisReferenceExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodePropertyReferenceExpression” Authorized=”True” />
<authorizedType Assembly=”System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodeTypeReferenceExpression” Authorized=”True” /> (Add for 3rd party workflows)
DO NOT DO THIS: Please notice that sometimes SharePoint Timer Service (SPTimerV4) runs workflows. If you notice that the application showing the error is ULS logs in OWSTIMER.EXE, you should also include the authorized types in [SharePoint Hive Folder]\bin\OWSTIMER.EXE.config. The Hive Folder will change by version of SharePoint. For SharePoint 2016, it is normally at c:\program files\common files\microsoft shared\web server extensions\16. For 2013, at c:\program files\common files\microsoft shared\web server extensions\15. Once Microsoft instructed me to remove the KB’s that are causing the issues if this has been added your timer job will throw an error when trying to start. Based on discussion not helpful with or without due to the many issues the KB’s are causing.
Hope this helps!! Now I need a NAP!!
Thanks for getting the word out. I’m sure this is causing a lot of headaches out there. 🙂
HI, I’m running on SP2010 and applied the fix by adding the type to my web.config files. One web app is working and my second one is still throwing an error but only for a single type: (-1, -1) Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file.)
Why would only one type not work?
Any hints are appreciated!
It depends on the type of workflows being used. Best option is to remove the updates in the article.
Do you mind sharing the steps to remove the updates, please?
If you go to the Control Panel, Add, Remove Programs and then go to Windows updates. Use search to find the KB’s needing to be uninstalled. Select KB and select uninstall.
Thanks for the heads up! This saved us a lot of headache.