Lucene search

K
mskbMicrosoftKB5002111
HistoryJan 11, 2022 - 8:00 a.m.

Description of the security update for SharePoint Server Subscription Edition: January 11, 2022 (KB5002111)

2022-01-1108:00:00
Microsoft
support.microsoft.com
56
sharepoint server
subscription edition
security update
remote code execution
vulnerability
microsoft office
improvements
fixes
web.config
permissions
quick edit
sql server
performance
managed metadata services
modern user experience
aria attributes
people picker
accessibility
powershell
document sets
token folder
new link dialog
certificate assignment
openid connect
calendar view
onedrive.

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.082

Percentile

94.5%

Description of the security update for SharePoint Server Subscription Edition: January 11, 2022 (KB5002111)

Summary

This security update resolves a Microsoft SharePoint Server remote code execution vulnerability and Microsoft Office remote code execution vulnerability. To learn more about the vulnerabilities, see the Microsoft Common Vulnerabilities and Exposures CVE-2022-21837 and Microsoft Common Vulnerabilities and Exposures CVE-2022-21840.

Improvements and fixes

This security update contains fixes and improvements for the following nonsecurity issues in SharePoint Server Subscription Edition:

  • To better protect and strengthen the security of SharePoint, SharePoint now restricts access to its Web.config files. Users cannot access Web.config files unless they’re local administrators, farm administrators, or managed by SharePoint. This change does not impact standard SharePoint functionality. For more information about this improvement, see Permissions of Web.config files are restricted in SharePoint Server (KB5010126).
  • Fixes an issue in which you cannot copy and paste list items in quick edit mode by using a modern browser.
  • Removes unnecessary stored procedure executions that can cause SQL Server deadlocks when multiple apps are present on a page together with a high user load.
  • Improves the page rendering performance.
  • Fixes an issue in which all other terms of the hierarchy are selected if a subterm is selected when you filter a Managed Metadata Services (MMS)-based column in modern user experience (UX).
  • Fixes an issue in which the hidden nodes of the left navigation pane are shown in the modern team site when the Publishing feature is enabled.
  • Fixes an issue in which you cannot add an event to a modern site page.
  • Fixes an issue in which the Content Deployment feature cannot publish incremental changes.
  • Fixes an issue in which several ARIA attributes of the People Picker are not allowed in a new item of a modern team site.
  • Fixes an issue in which the field does not have a rectangular border when it is focused on in the edit list dialog box.
  • Fixes an issue in which the username is truncated on the ribbon at the top of the screen if the selected language is he-il (Hebrew - Israel).
  • Fixes an issue in which a scope property is shown in SAML providers.
  • Fixes an issue in which the document sets that contain non-ASCII characters are not crawled successfully.
  • Fixes an issue in which a recursive token folder copy occurs when you run the Copy-SPSideBySideFiles cmdlet to do an upgrade that fails to delete the older token folders.
  • Fixes an accessibility issue in which the focus is going out of the New link dialog box when you use the Tab key to navigate.
  • Fixes an issue in which you cannot replace the certificate assignment when the certificate is not assigned during the import certificate operation.
  • Fixes an issue in which the Create list pane is opened two times when you use the keyboard to activate theAdd a list button.
  • Fixes an issue in which a No UI error message occurs when a group member tries to share a modern team site.
  • Fixes an issue in which the new OpenID Connect (OIDC) token issuer cannot use the UPA-backed claim provider.
  • Fixes an issue in which changing the start day of the week from other days back to Sunday does not work for calendar view.
  • Fixes an issue in which the recently shared item is not displayed immediately in the OneDrive mobile app for Android because of an incorrect site URL of the recently shared item.
  • Fixes an issue in which the focus is not visible for the show actions button in the high contrast mode of theSite Contents page.
  • Fixes an issue in which the More Options button is not descriptive in theComments section of a page.
  • Fixes an issue in which the New Site button is missing on theSite Contents page when the zoom value is set to 200 percent.
  • Fixes an issue in which you cannot access _admin/certificatesettings.aspx by using the least-restrictive permissions.
  • Fixes an issue in which you receive a β€œRequestNotSupported” Colbalt error when you replace a duplicate file from a SharePoint Server 2010 content database in the modern UI.
  • Fixes an issue in which selecting the New button in the form library opens a dialog box to upload files instead of opening the InfoPath client application.
  • Fixes an issue in which selecting an existing form in a form library that is set to OpenInClient does not start the InfoPath client application, and you receive the following error message:

This action couldn’t be performed because Office doesn’t recognize the command it was given.

This security update also contains fixes and improvements for the following nonsecurity issues in SharePoint Server Subscription Edition. To enable the improvements or fix the issues completely, you have to install KB 5002110 together with this update.

  • Fixes an issue in which the Export-SPCertificate cmdlet parameter names don’t match in PowerShell help.
  • Fixes an issue in which the Name list web part is not defined for the tick button in the attachments edit field.
  • Capitalizes the word β€œdatabase” in the PowerShell descriptions of the Add-SPShellAdmin, Get-SPShellAdmin, and Remove-SPShellAdmin cmdlets.
  • Fixes an issue in which the More options button is not accessible by using the keyboard when the zoom value is set to 400 percent.

How to get and install the update

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

Method 2: Microsoft Update Catalog

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

  • Download security update 5002111 for the 64-bit version of SharePoint Server Subscription Edition

More information

Security update deployment information

For deployment information about this update, see Security update deployment information: January 11, 2022 (KB5010029).

Security update replacement information

This security update replaces previously released security update 5002045.

File hash information

File name SHA256 hash
sts-subscription-kb5002111-fullfile-x64-glb.exe 39DDC16F03A730B804C8C7D70B9CB16B68464542BBBB286489847232751A15BD

File information

Download the list of files that are included in security update 5002111.

Information about protection and security

Protect yourself online: Windows Security supportLearn how we guard against cyber threats: Microsoft Security

Change history

The following table summarizes some of the most important changes to this topic.Date Description
February 11, 2022 Removed the β€œKnown issues in this update” section and added the KB5010126 as an improvement into the β€œImprovements and fixes” section.

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.082

Percentile

94.5%