SharePoint workflows stop working after you install .NET security updates for CVE-2018-8421

Applies to: SharePoint Server

Symptoms


After any of the September 2018 .NET Framework security updates to resolve CVE-2018-8421 (.NET Framework Remote Code Execution Vulnerability) are applied, SharePoint out-of-the-box workflows stop working. When the problem occurs, an error that resembles the following is logged:

<Date> <Time> w3wp.exe (0x1868) 0x22FC SharePoint Foundation Workflow Infrastructure 72fs Unexpected RunWorkflow: Microsoft.SharePoint.SPException: <Error><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1"…

The error suggests that System.CodeDom.CodeBinaryOperatorExpression is not included in the authorized types.

For more information about the September .NET Security updates, go to this Microsoft blog page.

Cause


Workflow Foundation (WF) will only run workflows when all dependent types and assemblies are authorized in the .NET config file (or added explicitly through code) under the following tree:

<configuration>

<System.Workflow.ComponentModel.WorkflowCompiler>

<authorizedTypes>

<targetFx>

However, after the update, some types that are used by SharePoint out-of-box workflows that were not previously required are now required.

Resolution


The solution is to explicitly add the necessary types to all web applications' web.config files.

For SharePoint 2013 and later versions

For SharePoint 2013 and later versions, add the following lines:

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeBinaryOperatorExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePrimitiveExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodInvokeExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeFieldReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeThisReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePropertyReferenceExpression" Authorized="True" />

For SharePoint versions earlier than SharePoint 2013

For SharePoint versions earlier than 2013, add the following lines instead:

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeBinaryOperatorExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePrimitiveExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodInvokeExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeFieldReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeThisReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePropertyReferenceExpression" Authorized="True" />

    More information


    We recommend that you use the following script instead of directly modifying existing scripts.

    Note Some third-party workflow engines may require adding extra types. If this may be the case, contact your supplier for information about the required types, and then adjust the script accordingly.

    The following script changes web.config of all web applications to add the necessary entries. This script will add these types for existing web applications and new ones created after the script runs. The script should be executed just one time on any web front end in the farm (it will update all machines).

    <#

     This script will add the entries to all web.config files for all web applications in the farm.

     Run this script as Farm Administrator in one of the WFEs.

     This script only needs to run one time.

    SUMMARY:

    This script leverages the native SharePoint SPWebConfigModification API to deploy new updates to the web.config file for each web application on each server in the farm.  Servers added a later date will also get the updates applied because the API configuration is persisted in the config database.  This API does not update the web.config for the central administration web application.

    If you are running workflows on the central admin web application, you will need to manually update the web.config using the steps in the referenced blog.

    ==============================================================

    #>

    Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null

    function Add-CodeDomAuthorizedType

    {

        <#

        .Synopsis

           Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications

     

        .DESCRIPTION

           Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications

     

        .EXAMPLE

           Add-CodeDomAuthorizedType

     

        #>

        [CmdletBinding()]

        param

        (

        )

        begin

        {

            $farmMajorVersion = (Get-SPFarm -Verbose:$false ).BuildVersion.Major

            $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService

            $typeNames = @( "CodeBinaryOperatorExpression", "CodePrimitiveExpression", "CodeMethodInvokeExpression", "CodeMethodReferenceExpression", "CodeFieldReferenceExpression","CodeThisReferenceExpression", "CodePropertyReferenceExpression")

       

        }

        process

        {

            if( @($contentService.WebConfigModifications | ? { $_.Name -eq "NetFrameworkAuthorizedTypeUpdate" }).Count -gt 0 )

            {

                Write-Warning "Existing NetFrameworkAuthorizedTypeUpdate entries found, this script only need to be run once per farm."

                return

            }

            if( $farmMajorVersion -le 14 ) # 2010, 2007

            {

                foreach( $typeName in $typeNames )

                {

                    # System, Version=2.0.0.0

                    $netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification

                    $netFrameworkConfig.Path     = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes"

                    $netFrameworkConfig.Name     = "authorizedType[@Assembly='System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'][@Namespace='System.CodeDom'][@TypeName='{0}'][@Authorized='True']" -f $typeName

                    $netFrameworkConfig.Owner    = "NetFrameworkAuthorizedTypeUpdate"

                    $netFrameworkConfig.Sequence = 0

                    $netFrameworkConfig.Type     = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode

                    $netFrameworkConfig.Value    = '<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Namespace="System.CodeDom" TypeName="{0}" Authorized="True"/>' -f $typeName

               

                    $contentService.WebConfigModifications.Add($netFrameworkConfig);

                }

            }

            else # 2013+

            {

                foreach( $typeName in $typeNames )

                {

                    # System, Version=4.0.0.0

                    $netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification

                    $netFrameworkConfig.Path     = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes/targetFx"

                    $netFrameworkConfig.Name     = "authorizedType[@Assembly='System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'][@Namespace='System.CodeDom'][@TypeName='{0}'][@Authorized='True']" -f $typeName

                    $netFrameworkConfig.Owner    = "NetFrameworkAuthorizedTypeUpdate"

                    $netFrameworkConfig.Sequence = 0

                    $netFrameworkConfig.Type     = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode

                    $netFrameworkConfig.Value    = '<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Namespace="System.CodeDom" TypeName="{0}" Authorized="True"/>' -f $typeName

               

                    $contentService.WebConfigModifications.Add($netFrameworkConfig);

                }

            }

            Write-Verbose "Updating web.configs"

            $contentService.Update()

            $contentService.ApplyWebConfigModifications();

        }

        end

        {

        }   

    }

    function Remove-CodeDomAuthorizedType

    {

        <#

        .Synopsis

           Removes any web configuration entires owned by "NetFrameworkAuthorizedTypeUpdate"

     

        .DESCRIPTION

           Removes any web configuration entires owned by "NetFrameworkAuthorizedTypeUpdate"

     

        .EXAMPLE

            Remove-CodeDomAuthorizedType

        #>

        [CmdletBinding()]

        param()

        begin

        {

            $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService

        }

        process

        {

            $webConfigModifications = @($contentService.WebConfigModifications | ? { $_.Owner -eq "NetFrameworkAuthorizedTypeUpdate" })

            foreach ( $webConfigModification in $webConfigModifications )

            {

                Write-Verbose "Found instance owned by NetFrameworkAuthorizedTypeUpdate"

                $contentService.WebConfigModifications.Remove( $webConfigModification ) | Out-Null

            }

            

            if( $webConfigModifications.Count -gt 0 )

            {

                $contentService.Update()

                $contentService.ApplyWebConfigModifications()

            }

        }

        end

        {

        }   

    }

    # will get the timerjob responsible for the web.config change deployment

    # Get-SPTimerJob | ? { $_.Name -eq "job-webconfig-modification" }

     

    # The command below will make the appropriate changes

    Add-CodeDomAuthorizedType

    # remove # below if you need to remove the web.config updates, you can with this function to retract the changes

    # Remove-CodeDomAuthorizedType