Issues Reported with MS13-052 (KB2840628) and Configuration Manager

Issues Reported with MS13-052 (KB2840628) and Configuration Manager

  • Comments 12
  • Likes

Updated 8/22/2013 - The MS13-052 update published under KB 2840628 has been revised to include the fix for the issues reported below.  New installations of MS13-052 as of August 13, 2013 will no longer require the aditional standalone hotfix KB 2872041.

Updated 7/29/2013 - Hotfix available

We have confirmed a few different issues with the latest .NET Framework 4 security update, KB 2840628, when applied to SQL Server 2012 (all versions) servers in a Configuration Manager environment.

A standalone hotfix, KB 2872041, is now available to correct this issue. The new hotfix should be applied to any SQL Server 2012 installation with KB 2840628 that houses a Configuration Manager role, such as a site database or database replica.

KB2872041: NET Framework 4 applications that rely on a partial trust host may encounter errors

Application of this hotfix should resolve all of the issues noted in this blog post.

 

Issue 1: System Center 2012 Configuration Manager

Database replication between sites (central administration site/primary site/secondary site) with SQL Server 2012 will fail.

The rcmctrl.log file on the failing sites will contain entries similar to the following:

//

Launching 2 sprocs on queue ConfigMgrDRSQueue and 0 sprocs on queue ConfigMgrDRSSiteQueue.                SMS_REPLICATION_CONFIGURATION_MONITOR

The asynchronous command finished with return message: [A .NET Framework error occurred during execution of user-defined routine or aggregate "spDRSActivation": ~~System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnectionFactory' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlPerformanceCounters' threw an exception. ---> System.MethodAccessException: Attempt by method 'System.Configuration.TypeUtil.CreateInstanceRestricted(System.Type, System.Type)' to access method 'System.Diagnostics.SwitchElementsCollection..ctor()' failed. ---> System.Security.SecurityException: Request failed… [truncated for readability]

//

Temporary workaround:

Until the revised update is available, you can make the following short term changes to recover from this issue:

In SQL Management Studio on the affected server, change the Permission set to Unrestricted for the MessageHandlerService Assembly. This is done in the Assembly properties via:

SQL Server -> Databases -> (Site Database) -> Programmability -> Assemblies -> MessageHandlerService ->Right-click and select Properties and highlight -> General -> Expand the "Permissions Set" drop-down -> Select Unrestricted.

When the change is made, replication between sites should automatically recover within 5-10 minutes.

Issue 2: System Center 2012 Configuration Manager

Synchronization of the software update point might fail at the end of the synchronization process. The WSyncMgr.log will have entries similar to the following:

//

error 14: SQL Error Message Failed to generate documents:A .NET Framework error occurred during execution of user-defined routine or aggregate "fnGenerateLanternDocumentsTable": ~~System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnectionFactory' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlPerformanceCounters' threw an exception. ---> System.MethodAccessException: Attempt by method 'System.Configuration.TypeUtil.CreateInstanceRestricted(System.Type, System.Type)' to access method 'System.Diagnostics.SwitchElementsCollection..ctor()' failed. ---> System.Security.SecurityException: Request failed… [truncated for readability]

//

Temporary workaround:

Similar to Issue 1, the SMSSQLCLR assembly Permission Set can be changed to Unrestricted. From SQL Management Studio:

SQL Server -> Databases -> (Site Database) -> Programmability -> Assemblies -> SMSSQLCLR

Issue 3: Configuration Manager 2007

Client location requests for content do not return any distribution points. This occurs when the Management point and site database (either directly of via SQL replica) are on the same server. The MP_Location.log on the management point will have entries similar to the following:

//

CMPDBConnection::ExecuteSQL(): ICommandText::Execute() failed with 0x80040E14

CHandleLocationRequest::CreateReply failed with error (80040e14).

//

Temporary workaround:

Use the same procedure noted in the previous section for Issue 2.

Issue 4: System Center 2012 Configuration Manager

The component status for State System will be set to "Critical" when viewed in the administrator console.

The statesys.log file will contain entries similar to the following:

//

*** *** Unknown SQL Error!

CMessageProcessor - Encountered a non-fatal SQL error while processing

CMessageProcessor - Non-fatal error while processing <filename>.SMX

//

Temporary workaround:

Use the same procedure noted for Issue 1.

 

Uninstall

Although uninstalling KB2840628 will resolve all 4 issues, we do not recommend this action as a solution because it will leave your environment vulnerable to the security issues that the update resolves. For more information about the security vulnerabilities addressed by KB2840628, see the following Microsoft security bulletin:

https://technet.microsoft.com/en-us/security/bulletin/MS13-052
Instead of uninstalling the original update KB2840628, Microsoft recommends instead installing the latest hotfix referenced at the beginning of this article - KB 2872041.

 
Thank you,

--Configuration Manager Sustained Engineering

This posting is provided "AS IS" with no warranties and confers no rights.

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thanks for getting this info out there.  Looking forward to the revised release.

  • This security update also blocks me from running .NET applications from a network drive (mapped via NET USE). It seems to disallow the reading of application's .config file from the network drive. E.g. in my case I'm trying to run automated tests with NUnit (nunit-console.exe) and have mapped a network folder to B:, but the program crashes instantly with the exception "Unhandled Exception: System.Configuration.ConfigurationErrorsException" when trying to read nunit-console.exe.config.

    I confirmed that everything works normally if I uninstall the security update.

  • Does this affect SCCM 2007 R2 on SQL Server 2005 or 2008? Thanks!

  • Hi will this work around work on SQL Express?

    _____________________________

    Temporary workaround:

    Until the revised update is available, you can make the following short term changes to recover from this issue:

    In SQL Management Studio on the affected server, change the Permission set to Unrestricted for the MessageHandlerService Assembly. This is done in the Assembly properties via:

    SQL Server -> Databases -> (Site Database) -> Programmability -> Assemblies -> MessageHandlerService

    When the change is made, replication between sites should automatically recover within 5-10 minutes.

  • @DD, yes this workaround will work on SQL Express.

    @Mo, We have not had the problems repro on SQL 2008 with CM07.  No report on SQL 2005 so far.

    @Robert Smith, yes, I believe this may be one of the symptoms .NET team is investigating.

  • What about 2840632 for Windows Server 2012? Will it cause same problem?

  • We have a VB.NET app (created in VS2010) that uses the SQLConnect to connect to the SQL 2005 Database.  We are receiving:   "The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception" and

    "at System.Data.SqlClient.SqlConnection..ctor() at System.Data.SqlClient.SqlConnection..ctor(String connectionString)..."  We do not have any assemblies.

  • @Peng.  As far as we know we only have issues on .NET 4.0 (2840628) & SQL 2012.  2840632 is for .NET 4.5.

    @98611.  Recommend you post these symptoms in .Net or SQL server forums.  Maybe those teams have temporary workarounds.

  • I applied the Assemblies work around in our CM 2012 site and everything was working fine until I rebooted the site server, within 10 minutes my replication was once again showing as Failed and I was seeing the .Net errors in the Rcmctrl.log.  I was able to stop the errors and return replication to active on the site by cycling SQL services, but I really do not want to watch and prevent reboots until the fix comes out.  This update is required by our security team so removing it is not an option.

    Any suggestions on how to keep the work around applied after a reboot?

  • We had the exact same error as in "Issue 1" but our setup is Win2012 and SQL2012.

    I applyed the workaround in SQL and the error from the rcmctrl.log went away but we still have "Link Failed" in the console.

    @Yvette "@Peng.  As far as we know we only have issues on .NET 4.0 (2840628) & SQL 2012.  2840632 is for .NET 4.5".

    Is it possible to clear thing up as if we could still be affected by this issue on Win2012 ?

    Thanks

  • I can't get the new update (August 13) to even install.  It just spins an spins and spins.  This is ridiculous

  • What is the solution for people running SCCM 2012 on Windows 2012 that have this exact same problem ? Extremely annoying and since KB2840628 doesn't apply for 2012 servers, the above fixes aren't relevant. Strange that no one else is experiencing this with Windows 2012 (or has posted about it online anyway). I have an open case with MS and they're stuck trying to fix it too.