SharePoint workflows stop working after you install .NET security updates for CVE-2018-8421

Applies to: SharePoint Server

Symptoms


After you install any of the September 2018 .NET Framework security updates to resolve CVE-2018-8421 (.NET Framework Remote Code Execution Vulnerability), SharePoint out-of-the-box workflows stop working. When this problem occurs, an error entry that resembles the following is logged:

<Date> <Time> w3wp.exe (0x1868) 0x22FC SharePoint Foundation Workflow Infrastructure 72fs Unexpected RunWorkflow: Microsoft.SharePoint.SPException: <Error><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1"…

The error entry suggests that System.CodeDom.CodeBinaryOperatorExpression is not included in the authorized types.

For more information about the September .NET security updates, go to this Microsoft .NET Blog page.

Cause


Workflow Foundation (WF) runs workflows only when all dependent types and assemblies are authorized in the .NET config file (or added explicitly through code) in the following tree:

<configuration>

<System.Workflow.ComponentModel.WorkflowCompiler>

<authorizedTypes>

<targetFx>

However, after the update, some types that are used by SharePoint out-of-box workflows that were previously not required are now required.

Resolution


To resolve this problem, apply the appropriate security and nonsecurity updates from the following Knowledge Base articles:

4461501 Description of the security update for SharePoint Enterprise Server 2016: November 13, 2018

4461508 November 13, 2018, cumulative update for SharePoint Foundation 2013 (KB4461508)

4461510 November 13, 2018, cumulative update for SharePoint Enterprise Server 2013 (KB4461510)
 
4011713 November 13, 2018, update for SharePoint Foundation 2010 (KB4011713)

4461528 November 13, 2018, cumulative update for SharePoint Server 2010 (KB4461528)

Notes 

  • After the update is installed, SharePoint Products Configuration Wizard must be run for the fix to be fully applied.
  • Some third-party or custom workflow actions may have additional dependencies. If you experience a behavior that is similar to this problem but is not discussed in this article, please consult the workflow action developer for assistance.

Workaround


To work around this problem, explicitly add the necessary types to the Web.config file of all applications. Although the manual steps are provided, we recommend that you use the script method.