=================================================================== CERT-Renater
Note d'Information No. 2022/VULN205
_____________________________________________________________________
DATE : 16/06/2022
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running .NET and Visual Studio,
Azure OMI, Azure Real Time Operating System,
Azure Service Fabric Container
Intel,
Microsoft Edge (Chromium-based),
Microsoft Office, Microsoft Office Excel,
Microsoft Office SharePoint, Microsoft Windows ALPC,
Microsoft Windows Codecs Library,
Remote Volume Shadow Copy Service (RVSS),
Role: Windows Hyper-V, SQL Server,
Windows Ancillary Function Driver for WinSock,
Windows App Store, Windows Autopilot,
Windows Container Isolation FS Filter Driver,
Windows Container Manager Service,
Windows Defender, Windows Encrypting File System (EFS),
Windows File History Service, Windows Installer,
Windows iSCSI, Windows Kerberos, Windows Kernel,
Windows LDAP - Lightweight Directory Access Protocol,
Windows Local Security Authority Subsystem Service,
Windows Media, Windows Network Address Translation (NAT),
Windows Network File System, Windows PowerShell,
Windows SMB.
====================================================================https://msrc.microsoft.com/update-guide/releaseNote/2022-Jun
https://msrc.microsoft.com/update-guide/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23267
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24513
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24527
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26832
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
https://msrc.microsoft.com/update-guide/vulnerability/ADV220002
_____________________________________________________________________
********************************************************************
Microsoft Security Update Summary for June 14, 2022
Issued: June 14, 2022
********************************************************************
This summary lists security updates released for June 14, 2022.
Complete information for the June 2022 security update release
Can be found at .
IMPORTANT ANNOUNCEMENT: In the coming months we will be moving to a new,
more user-friendly and flexible system for delivering Microsoft
Technical Security Notifications. See Coming Soon: New Security Update
Guide Notification System for information about how you can sign up for
and receive these Technical Security Notifications.
Please note the following information regarding the security updates:
* Windows 10 updates are cumulative. The monthly security release
includes all security fixes for vulnerabilities that affect Windows
10, in addition to non-security updates. The updates are available
via the Microsoft Update Catalog:
https://catalog.update.microsoft.com/v7/site/Home.aspx.
* For information on lifecycle and support dates for Windows 10
operating systems, please see the Windows Lifecycle Facts Sheet:
https://support.microsoft.com/en-us/help/13853/windows-
lifecycle-fact-sheet).
* A list of the latest servicing stack updates for each operating
system can be found in ADV990001: https://msrc.microsoft.com/update-
guide/vulnerability/ADV990001. This list will be
updated whenever a new servicing stack update is released. It is
important to install the latest servicing stack update.
* In addition to security changes for the vulnerabilities, updates
include defense-in-depth updates to help improve security-related
features.
* Customers running Windows 7, Windows Server 2008 R2, or Windows Server
2008 need to purchase the Extended Security Update to continue receiving
security updates. See
https://support.microsoft.com/en-us/help/4522133/procedure-to-
continue-receiving-security-updates for more information.
* There is a change coming with regards to Servicing Stack Updates.
Please see Simplifying SSUs for more information.
Critical Security Updates
==========================Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows Server 2022 (Server Core installation)
Windows Server 2022 Azure Edition Core Hotpatch
Windows Server, version 20H2 (Server Core Installation)
AV1 Video Extension
HEVC Video Extension
HEVC Video Extensions
Important Security Updates
==========================Microsoft 365 Apps for Enterprise for 32-bit Systems
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Office LTSC 2021 for 32-bit editions
Microsoft Office LTSC 2021 for 64-bit editions
Microsoft Office Online Server
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2013 Service Pack 1
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition
Azure Automation State Configuration, DSC Extension
Azure Automation Update Management
Azure Diagnostics (LAD)
Azure Open Management Infrastructure
Azure Real Time Operating System
Azure Real Time Operating System GUIX
Azure Security Center
Azure Sentinel
Azure Service Fabric
Azure Stack Hub
Container Monitoring Solution
Log Analytics Agent
System Center Operations Manager (SCOM) 2016
System Center Operations Manager (SCOM) 2019
System Center Operations Manager (SCOM) 2022
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft Visual Studio 2022 version 17.0
Microsoft Visual Studio 2022 version 17.2
NuGet.exe
Visual Studio 2019 for Mac version 8.10
Visual Studio 2022 for Mac version 17.0
.NET 6.0
.NET Core 3.1
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU 17)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure
Connectivity Pack
Microsoft SQL Server 2017 for x64-based Systems (CU 29)
Microsoft SQL Server 2017 for x64-based Systems (GDR)
Microsoft SQL Server 2019 for x64-based Systems (CU 16)
Microsoft SQL Server 2019 for x64-based Systems (GDR)
Other Information
Recognize and avoid fraudulent email to Microsoft customers:
============================================================If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security information, or
installing security updates. You can obtain the MSRC public PGP key
at
.
********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
Microsoft respects your privacy. Please read our online Privacy
Statement at
.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
.
These settings will not affect any newsletters you've requested or
any mandatory service communications that are considered part of
certain Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
_____________________________________________________________________
************************************************************************************
Title: Microsoft Security Update Revisions
Issued: June 14, 2022
************************************************************************************
Summary
=====The following CVEs have undergone a revision increment.
==================================================================================* CVE-2021-26414
* CVE-2022-23267
* CVE-2022-24513
* CVE-2022-24527
* CVE-2022-26832
* CVE-2022-30190
- CVE-2021-26414 | Windows DCOM Server Security Feature Bypass
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
- Version: 2.0
- Reason for Revision: Microsoft is announcing the release of the
June 14, 2022 Windows security updates to address the second phase of
hardening changes for this vulnerability. After these updates are
installed, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers will be
enabled by default. Customers who need to do so can still disable it
by using the RequireIntegrityActivationAuthenticationLevel registry key.
Microsoft strongly recommends that customers install the June 14,
2022 updates, complete testing in your environment, and enable
these hardening changes as soon as possible.
- Originally posted: June 8, 2021
- Updated: June 14, 2022
- Aggregate CVE Severity Rating: Important
- CVE-2022-23267 | .NET and Visual Studio Denial of Service
Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23267
- Version: 3.0
- Reason for Revision: Revised the Security Updates table to
include Visual Studio 2019 for Mac and Visual Studio 2022 for Mac
because these versions of Visual Studio for Mac are affected by this
vulnerability. Microsoft strongly recommends that customers running
these versions of Visual Studio install the updates to be fully
protected from the vulnerability.
- Originally posted: May 10, 2022
- Updated: June 14, 2022
- Aggregate CVE Severity Rating: Important
- CVE-2022-24513 | Visual Studio Elevation of Privilege Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24513
- Version: 3.0
- Reason for Revision: Microsoft has released the June 2022
security updates to further address CVE-2022-24513 for the following
supported versions of Visual Studio: Visual Studio 2017 version 15.9,
Visual Studio 2019 version 16.9, Visual Studio 2019 version 16.11,
Microsoft Visual Studio 2022 version 17.0, and Visual Studio 2019 for
Mac version 8.10. In addition, Visual Studio 2022 for Mac version
17.0 has been added to the Security Updates table as it is also
affected by this vulnerability. Microsoft strongly recommends that
customers install these updates to be fully protected from the
vulnerability.
- Originally posted: April 12, 2022
- Updated: June 14, 2022
- Aggregate CVE Severity Rating: Important
- CVE-2022-24527 | Microsoft Endpoint Configuration Manager
Elevation of Privilege Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24527
- Version: 2.0
- Reason for Revision: The following revisions have been made: 1)
Added Microsoft Endpoint Configuration Manager to the Security
Updates table as it is affected by this vulnerability. 2) Removed all
versions of Windows from the Security Updates table, because the
update to address this vulnerability is not available via the Windows
security updates. 3) Updated the FAQs to provide information about
how customers can get the hotfix for Microsoft Endpoint Configuration
Manager that addresses this vulnerability. 4) Corrected the CVE title.
- Originally posted: April 12, 2022
- Updated: June 14, 2022
- Aggregate CVE Severity Rating: Important
- CVE-2022-26832 | .NET Framework Denial of Service Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26832
- Version: 3.0
- Reason for Revision: In the Security Updates table, added .NET
Framework 4.6.2/4.7/4.7.1/4.7.2 installed on Windows 10 version 1607,
Windows Server 2016, and Windows Server 2016 (Server Core
installation) as these versions of Window 10 and Windows
Server with .NET Framework 4.6.2/4.7/4.7.1/4.7.2 installed are
affected by this vulnerability. Customers running these versions of
.NET Framework should install the
April 2022 security updates to be protected from this vulnerability.
- Originally posted: April 12, 2022
- Updated: June 14, 2022
- Aggregate CVE Severity Rating: Important
- CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT)
Remote Code Execution Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
- Version: 2.0
- Reason for Revision: The update for this vulnerability is in the
June 2022 cumulative Windows Updates. Microsoft strongly recommends
that customers install the updates to be fully protected from the
vulnerability. Customers whose systems are
configured to receive automatic updates do not need to take any
further action. - Originally posted: May 30, 2022
- Updated: June 14, 2022
- Aggregate CVE Severity Rating: Important
Other Information
===============Recognize and avoid fraudulent email to Microsoft customers:
============================================================If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security bulletins, or
installing security updates. You can obtain the MSRC public PGP key
at .
********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************
IMPORTANT ANNOUNCEMENT: In the coming months we will be moving to a new,
more user-friendly and flexible system for delivering Microsoft
Technical Security Notifications. See "Coming Soon: New Security Update
Guide Notification System"
(https://aka.ms/SUGNotificationProfile) for information about how you
can sign up for and receive these Technical Security Notifications.
Microsoft respects your privacy. Please read our online Privacy
Statement at .
These settings will not affect any newsletters youâve requested or
any mandatory service communications that are considered part of
certain Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
We would love to get your feedback on your experience with these
security notifications. Please help us improve your security
notifications experience by filling out the form here:
https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4ekF0eHYitGhfGrzmE_ydpUQUdMQUkzMFQwQzdYSjFBOTlXTjZWMDRRTi4u
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
https://account.microsoft.com/profile/unsubscribe?CTID=0&ECID=0x7a%2BoSdlbxzjQMoVrZUzj9rm5bl6m2%2BWbl%2BuGPKHzw%3D&K=ed91f33a-8958-4896-b5f0-24117df18575&CMID=null&D=637907447525365512&PID=18015&TID=adfd46f4-992a-45ec-935c-4c9bc4baf506
_____________________________________________________________________
**************************************************************************************
Title: Microsoft Security Advisory Notification
Issued: June 14, 2022
**************************************************************************************
Security Advisory Released on June 14, 2022
====================================================================================* ADV220002
- ADV220002 | Microsoft Guidance on Intel Processor MMIO Stale Data
Vulnerabilities
- https://msrc.microsoft.com/update-guide/vulnerability/ADV220002
- Reason for Revision: Information published.
- Originally posted: June 14, 2022
- Updated: N/A
- Version: 1.0
====================================================================================Other Information
===============Recognize and avoid fraudulent email to Microsoft customers:
=====================================================================================If you receive an email message that claims to be distributing a
Microsoft security update, it is a hoax that may contain malware or
pointers to malicious websites.
Microsoft does not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally sign
all security notifications. However, PGP is not required for reading
security notifications, reading security bulletins, or installing
security updates. You can obtain the MSRC
public PGP key at .
**************************************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT
APPLY.
**************************************************************************************
IMPORTANT ANNOUNCEMENT: In the coming months we will be moving to a new,
more user-friendly and flexible system for delivering Microsoft
Technical Security Notifications. Upcoming information about how you can
sign up for and receive these Technical Security Notifications will be
coming soon.
Microsoft respects your privacy. Please read our online Privacy Statement at
.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of companies
please visit the following website to unsubscribe:
.
These settings will not affect any newsletters you've requested or any
mandatory service communications that are considered part of certain
Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
========================================================+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=======================================================