Hello c/sysadmin, and welcome to the Patch Megathread! I’m editing this post and leaving it up as a single catch-all sticky post for patch days for the time being, since we’re not seeing enough activity to warrant new threads IMO. If someone wants to help moderate / curate content and actively create new patch day posts, please let me know and I’ll add you to the mod team.
This is the place to talk about the latest patches, updates, and releases. We put this thread into place to help gather all the information about this month’s updates: What is fixed, what broke, what got released and should have been caught in QA, etc. We do this both to keep clutter out of the community, and provide a singular resource to read.
While this thread is timed to coincide with Microsoft’s Patch Tuesday, feel free to discuss any patches, updates, and releases, regardless of the company or product.
Remember the rules of safe patching:
- Deploy to a test/dev environment before prod.
- Deploy to a pilot/test group before the whole org.
- Have a plan to roll back if something doesn’t work.
- Test, test, and test!
Will ‘joshtaco’ be here?
I don’t know, go ask him… seriously, we need contributors. :D
Bleeping computer patch notes: https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/
Zero day patch notes: https://www.zerodayinitiative.com/blog/2023/7/10/the-july-2023-security-update-review
Lansweeper: https://www.lansweeper.com/patch-tuesday/microsoft-patch-tuesday-july-2023/
Starting my updates today (I typically wait a week to let other people be the test bed), I will update at the end tomorrow or the following day, especially if I run into any trouble.
More importantly though, there’s two substantial changes in Windows Updates this month that you should be aware of if you are not already.
KB5020805 enters the next phase for patching CVE-2022-37967.
This month’s patches do the following:
- Removes the ability to set value 1 for the KrbtgtFullPacSignature subkey.
- Moves the update to Enforcement mode (Default) (KrbtgtFullPacSignature = 3) which can be overridden by an Administrator with an explicit Audit setting.
Between now and October is your last chance to look for anything broken by this change, after October 10th patches the ability to undo this change is removed completely.
For more details see: https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb
KB5021130 enters final phase of patching for CVE-2022-38023
This month’s patches are the final phase of mitigation for this issue. Last month it forced the on everyone, so hopefully you’ve seen and found anything broken, as this month removes the ability to turn this change off due to the following:
- The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal registry subkey. This enables the Enforcement phase of CVE-2022-38023.
For more details see: https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25
Check your system logs for both of those KBs (event IDs to look for are outlined later in both articles) before patching.
Edit 1:
Just noticed that “CVE-2023-36884 - Office and Windows HTML Remote Code Execution Vulnerability” has additional remediation steps if you are not using Microsoft Defender for Office. More details and regkey included in this article: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
Edit 2:
Finished updates last night with no issues. Basic environment overview: Mix of physical and VMs (split between Hyper-V and VMWare), mostly worked on Windows servers last night, 2012 R2 - 2019. Updated VMs and hosts (on both platforms). Everything seems to be humming along nicely.
So… What has Microsoft broke this month? How is the patching going everyone?
We did a gitlab upgrade last week to 16.1and it went fine, but I noticed they never put out a vanilla v16.1.0 tag for gitlab-runner. There exist images such as Ubuntu-v16.1.0 but we usually just use the vanilla one. Anyone know what’s up about that?
Is it automated yet? (The autoposting that is)