ConfigMgr issues with MS13-052 KB2840628

Ah, the importance of testing patches!  I was up with John Nelson until 4:30 on Wednesday night trying to figure out why the CM07 clients couldn’t get content.  Evidently, one of the .NET patches this month causes issues.

 

CM07 only:

We found that this update was causing errors in the MP_Location.log – clients couldn’t get location data to find DPs.

CMPDBConnection::ExecuteSQL(): ICommandText::Execute() failed with 0x80040E14 CHandleLocationRequest::CreateReply failed with error (80040e14).

Uninstalling the patch from our Server 2008 R2 MPs and rebooting them cleared the issue up.  And actually, if you stop SQL before uninstalling the patch, you won’t have to reboot (just remember to start it again).  Also, this may affect only MP replicas since I have not heard of other people having the issue.

We also found it to kill the ability to generate a snapshot on the primary sites and removed it from them as well.

For CM12:

Microsoft is hearing reports about this patch too.  Here is what they had to say about it so far.

Issue 1:

Database replication between sites (CAS/Primary/Secondary) with SQL 2012 will fail. The rcmctrl.log file on the failing site(s) will contain entries similar the following:

// Launching 2 sprocs on queue ConfigMgrDRSQueue and 0 sprocs on queue ConfigMgrDRSSiteQueue. SMS_REPLICATION_CONFIGURATION_MONITOR The asynchronous command finished with return message: [A .NET Framework error occurred during execution of user-defined routine or aggregate "spDRSActivation": ~~System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnectionFactory' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlPerformanceCounters' threw an exception. ---> System.MethodAccessException: Attempt by method 'System.Configuration.TypeUtil.CreateInstanceRestricted(System.Type, System.Type)' to access method 'System.Diagnostics.SwitchElementsCollection..ctor()' failed. ---> System.Security.SecurityException: Request failed... [truncated for readability] //

Temporary workarounds

While investigation continues into the best long term solution, the following short term changes can be made to unblock customers in this state: In SQL Management Studio on the affected server, change the Permission set to Unrestricted for the MessageHandlerService Assembly. This is done in the Assembly properties via: SQL Server -> Databases -> (Site Database) -> Programmability -> Assemblies -> MessageHandlerService Once the change is made, replication between sites should automatically recover within 5-10 minutes.

Issue 2: Software Update Point synchronization may fail at the end of the sync process. The WSyncMgr.log will have entries similar to the following:

// error 14: SQL Error Message Failed to generate documents:A .NET Framework error occurred during execution of user-defined routine or aggregate "fnGenerateLanternDocumentsTable": ~~System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnectionFactory' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlPerformanceCounters' threw an exception. ---> System.MethodAccessException: Attempt by method 'System.Configuration.TypeUtil.CreateInstanceRestricted(System.Type, System.Type)' to access method 'System.Diagnostics.SwitchElementsCollection..ctor()' failed. ---> System.Security.SecurityException: Request failed... [truncated for readability] //

Temporary Workarounds Similar to Issue 1, the SMSSQLCLR assembly Permission Set can be changed to Unrestricted. From SQL Management Studio: SQL Server -> Databases -> (Site Database) -> Programmability -> Assemblies -> SMSSQLCLR

Patch Uninstall
Uninstalling KB2840628 has been reported to resolve all issues. However, removal of a security patch should not be a blanket recommendation; instead anyone that wishes to uninstall until a permanent solution is found should assess the risk of exposure in their own environment. Details on the security vulnerability can be found here: https://technet.microsoft.com/en-us/security/bulletin/MS13-052

email

Written by , Posted .
  • MidniteA

    Same issue–we have a premier case open since last Wed. Ours is a less complicated config, but it broke WSUS sync and imaging through the PXE service point–we’re not using SQL replication. Primary site server is WS08 R2 SP1, SQL 2012, SCCM 2012 SP1 cu1. PXE service point sever is WS12.

    “SMS_STATE_SYSTEM” component to start throwing SQL
    errors, and it was tossing every state system message received into the
    “corrupt” folder. Our errors were very similar to what is in kb 2709082, which after we
    tried that (and it didn’t work), led me to the .net hotfixes possibly being the
    issue. I looked up SC 2012 and saw it used .net 4, then looked at 2840628
    and 2835393, of which 2840628 had a file with “Sql” in the name, so we tried
    uninstalling it from the primary site server and that worked.