Hello everyone,
Microsoft released the Windows Server 2012 R2 KB5009624, the Windows Server 2016 KB5009546, the Windows Server 2019 KB5009557 update, and the Windows Server 2022 KB5009555 update recently. But after installing these patches, IT admins have been seeing various issues that are only resolved after removing these updates
The issues:
The issues include domain controllers having spontaneous reboots, Hyper-V not starting, and inaccessible ReFS volumes.
Windows domain controller boot loops:
These updates are causing Windows domain controllers to enter a boot loop, with servers getting into an endless cycle of Windows starting and then rebooting after a few minutes.
According to users and admins, it looks like LSASS.exe process use all of the CPU on a server and then ultimately terminate.
Hyper-V no longer starts:
As Hyper-V is not started, when attempting to launch a virtual machine, users will receive an error stating the following:
"Virtual machine xxx could not be started because the hypervisor is not running."
Microsoft released security updates to fix four different Hyper-V vulnerabilities yesterday (CVE-2022-21901, CVE-2022-21900, CVE-2022-21905, and CVE-2022-21847), which are likely causing this issue.
ReFS file systems are no longer accessible:
Windows Resilient File System (ReFS) volumes are no longer accessible or are seen as RAW (unformatted) after installing the updates.
Yesterday, Microsoft fixed seven remote code execution vulnerabilities in ReFS, with one or more likely behind the inaccessible ReFS volumes.
These vulnerabilities are tracked as CVE-2022-21961, CVE-2022-21959, CVE-2022-21958, CVE-2022-21960, CVE-2022-21963, CVE-2022-21892, CVE-2022-21962, CVE-2022-21928.
Affected patches:
Below we have mentioned the list of affected patches. You can search for the Patch IDs or Bulletin IDs in Vulnerability Manager Plus and decline them, until Microsoft rolls out an official fix for the same.
Bulletin ID | Patch ID | Patch Description |
MS22-JAN6 | 32762 | 2022-01 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5009624) |
MS22-JAN3 | 32784 | 2022-01 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5009546) |
MS22-JAN3 | 32777 | 2022-01 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5009557) |
MS22-JAN3 | 32776 | 2022-01 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5009555) |
As Microsoft bundles all security updates in a single Windows cumulative update, removing the update will remove all fixes for recently patched vulnerabilities
Unfortunately, there is no known fix or workaround for this right now and the only way to mitigate it, if the updates have already been installed, is to uninstall them. You can go ahead and decline the above-mentioned patches if they have not been deployed yet.
[UPDATE]
Microsoft has released out-of-band fixes for this issue and the issue with the Windows cumulative updates, over the course of 2 days (Jan 18 and Jan 19). These fixes are supported by ManageEngine and available in Vulnerability Manager Plus.
Initiate a sync between the Vulnerability Manager Plus server and the Central Patch Repository and search for the following Bulletin IDs or Patch IDs, then deploy them to your target systems. For the OOB updates of L2TP VPN breakage issue, refer to this link
Out-of-band update for Hyper-V breakage and boot loop issues
Bulletin ID | Patch ID | Patch Description |
MSWU-3483 | 109214 | 2022-01 Update for Windows Server 2012 R2 for x64-based Systems (KB5010794) |
MSWU-3482 | 109194 | 2022-01 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5010790) |
MSWU-3482 | 109217 | 2022-01 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5010791) |
MSWU-3482 | 109191 | 2022-01 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5010796) |
Regards,