SharePoint workflows stop working after you install .NET security updates for CVE-2018-8421

Symptoms

After you install any of the September 2018 .NET Framework security updates to resolve CVE-2018-8421 (.NET Framework Remote Code Execution Vulnerability), SharePoint out-of-the-box workflows stop working. When this problem occurs, an error entry that resembles the following is logged:

<Date> <Time> w3wp.exe (0x1868) 0x22FC SharePoint Foundation Workflow Infrastructure 72fs Unexpected RunWorkflow: Microsoft.SharePoint.SPException: <Error><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1"…

The error entry suggests that System.CodeDom.CodeBinaryOperatorExpression is not included in the authorized types.

For more information about the September .NET security updates, go to this Microsoft .NET Blog page.

Cause

Workflow Foundation (WF) runs workflows only when all dependent types and assemblies are authorized in the .NET config file (or added explicitly through code) in the following tree:

<configuration>

<System.Workflow.ComponentModel.WorkflowCompiler>

<authorizedTypes>

<targetFx>

However, after the update, some types that are used by SharePoint out-of-box workflows that were previously not required are now required.

Resolution

To resolve this problem, apply the appropriate security and nonsecurity updates from the following Knowledge Base articles:

4461501 Description of the security update for SharePoint Enterprise Server 2016: November 13, 2018

4461508 November 13, 2018, cumulative update for SharePoint Foundation 2013 (KB4461508)

4461510 November 13, 2018, cumulative update for SharePoint Enterprise Server 2013 (KB4461510)
 
4011713 November 13, 2018, update for SharePoint Foundation 2010 (KB4011713)

4461528 November 13, 2018, cumulative update for SharePoint Server 2010 (KB4461528)

Notes 

  • After the update is installed, SharePoint Products Configuration Wizard must be run for the fix to be fully applied.

  • Some third-party or custom workflow actions may have additional dependencies. If you experience a behavior that is similar to this problem but is not discussed in this article, please consult the workflow action developer for assistance.

Workaround

To work around this problem, explicitly add the necessary types to the Web.config file of all applications. Although the manual steps are provided, we recommend that you use the script method. 

To workaround this problem, explicitly add the necessary types to the web.config files of all applications.

For SharePoint 2013 and later versions

For SharePoint 2013 and later versions, add the following lines:

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeBinaryOperatorExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePrimitiveExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodInvokeExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeFieldReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeThisReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePropertyReferenceExpression" Authorized="True" />
 

For SharePoint versions earlier than SharePoint 2013

For SharePoint versions earlier than 2013, add the following lines instead:

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeBinaryOperatorExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePrimitiveExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodInvokeExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeFieldReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeThisReferenceExpression" Authorized="True" />

<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePropertyReferenceExpression" Authorized="True" />

We recommend that you run the following script instead of directly modifying existing files.

Note Some third-party workflow engines may require adding extra types. If this is the case, contact your supplier for information about the required types, and then adjust the script accordingly.

The following script changes Web.config for all web applications to add the necessary entries. This script adds these types for existing web applications and for applications that are created after the script runs. The script should be run only one time on any web front-end server in the farm (it will update all servers).

<#

 This script adds the entries to all web.config files for all web applications in the farm.

 Run this script as Farm Administrator in one of the WFEs.

 This script has to run only one time.

SUMMARY:

This script uses the native SharePoint SPWebConfigModification API to deploy new updates to the web.config file for each web application on each server in the farm.  Servers that are added at a later date will also get the updates applied because the API configuration is persisted in the config database.  This API does not update the web.config for the central administration web application.

If you are running workflows on the central admin web application, you will have to manually update the web.config by using the steps in the referenced blog.

==============================================================

#>

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null

function Add-CodeDomAuthorizedType

{

    <#

    .Synopsis

       Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications

 

    .DESCRIPTION

       Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications

 

    .EXAMPLE

       Add-CodeDomAuthorizedType

 

    #>

    [CmdletBinding()]

    param

    (

    )

    begin

    {

        $farmMajorVersion = (Get-SPFarm -Verbose:$false ).BuildVersion.Major

        $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService

        $typeNames = @( "CodeBinaryOperatorExpression", "CodePrimitiveExpression", "CodeMethodInvokeExpression", "CodeMethodReferenceExpression", "CodeFieldReferenceExpression","CodeThisReferenceExpression", "CodePropertyReferenceExpression")

   

    }

    process

    {

        if( @($contentService.WebConfigModifications | ? { $_.Name -eq "NetFrameworkAuthorizedTypeUpdate" }).Count -gt 0 )

        {

            Write-Warning "Existing NetFrameworkAuthorizedTypeUpdate entries found, this script has to be run only one time per farm."

            return

        }

        if( $farmMajorVersion -le 14 ) # 2010, 2007

        {

            foreach( $typeName in $typeNames )

            {

                # System, Version=2.0.0.0

                $netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification

                $netFrameworkConfig.Path     = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes"

                $netFrameworkConfig.Name     = "authorizedType[@Assembly='System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'][@Namespace='System.CodeDom'][@TypeName='{0}'][@Authorized='True']" -f $typeName

                $netFrameworkConfig.Owner    = "NetFrameworkAuthorizedTypeUpdate"

                $netFrameworkConfig.Sequence = 0

                $netFrameworkConfig.Type     = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode

                $netFrameworkConfig.Value    = '<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Namespace="System.CodeDom" TypeName="{0}" Authorized="True"/>' -f $typeName

           

                $contentService.WebConfigModifications.Add($netFrameworkConfig);

            }

        }

        else # 2013+

        {

            foreach( $typeName in $typeNames )

            {

                # System, Version=4.0.0.0

                $netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification

                $netFrameworkConfig.Path     = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes/targetFx"

                $netFrameworkConfig.Name     = "authorizedType[@Assembly='System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'][@Namespace='System.CodeDom'][@TypeName='{0}'][@Authorized='True']" -f $typeName

                $netFrameworkConfig.Owner    = "NetFrameworkAuthorizedTypeUpdate"

                $netFrameworkConfig.Sequence = 0

                $netFrameworkConfig.Type     = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode

                $netFrameworkConfig.Value    = '<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Namespace="System.CodeDom" TypeName="{0}" Authorized="True"/>' -f $typeName

           

                $contentService.WebConfigModifications.Add($netFrameworkConfig);

            }

        }

        Write-Verbose "Updating web.configs"

        $contentService.Update()

        $contentService.ApplyWebConfigModifications();

    }

    end

    {

    }   

}

function Remove-CodeDomAuthorizedType

{

    <#

    .Synopsis

       Removes any web configuration entries owned by "NetFrameworkAuthorizedTypeUpdate"

 

    .DESCRIPTION

       Removes any web configuration entries owned by "NetFrameworkAuthorizedTypeUpdate"

 

    .EXAMPLE

        Remove-CodeDomAuthorizedType

    #>

    [CmdletBinding()]

    param()

    begin

    {

        $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService

    }

    process

    {

        $webConfigModifications = @($contentService.WebConfigModifications | ? { $_.Owner -eq "NetFrameworkAuthorizedTypeUpdate" })

        foreach ( $webConfigModification in $webConfigModifications )

        {

            Write-Verbose "Found instance owned by NetFrameworkAuthorizedTypeUpdate"

            $contentService.WebConfigModifications.Remove( $webConfigModification ) | Out-Null

        }

        

        if( $webConfigModifications.Count -gt 0 )

        {

            $contentService.Update()

            $contentService.ApplyWebConfigModifications()

        }

    }

    end

    {

    }   

}

# The following command will get the timerjob responsible for the web.config change deployment

# Get-SPTimerJob | ? { $_.Name -eq "job-webconfig-modification" }

 

# The following command will make the appropriate changes

Add-CodeDomAuthorizedType

# Remove the following command if you have to remove the web.config updates, you can use this function to retract the changes

# Remove-CodeDomAuthorizedType

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×