Issues Reported with MS13-052 (KB2840628) and Configuration Manager

Updated 8/22/2013 The MS13-052 update published under KB 2840628 has been revised to include the fix for the issues reported below.  New installations of MS13-052 as of August 13, 2013 will no longer require the aditional standalone hotfix KB 2872041.

Updated 7/29/2013 – Hotfix available

We have confirmed a few different issues with the latest .NET Framework 4 security update, KB 2840628, when applied to SQL Server 2012 (all versions) servers in a Configuration Manager environment.

A standalone hotfix, KB 2872041, is now available to correct this issue. The new hotfix should be applied to any SQL Server 2012 installation with KB 2840628 that houses a Configuration Manager role, such as a site database or database replica.

KB2872041: NET Framework 4 applications that rely on a partial trust host may encounter errors

Application of this hotfix should resolve all of the issues noted in this blog post.

 

Issue 1: System Center 2012 Configuration Manager

Database replication between sites (central administration site/primary site/secondary site) with SQL Server 2012 will fail.

The rcmctrl.log file on the failing sites will contain entries similar to the following:

//

Launching 2 sprocs on queue ConfigMgrDRSQueue and 0 sprocs on queue ConfigMgrDRSSiteQueue.                SMS_REPLICATION_CONFIGURATION_MONITOR

The asynchronous command finished with return message: [A .NET Framework error occurred during execution of user-defined routine or aggregate “spDRSActivation”: ~~System.TypeInitializationException: The type initializer for ‘System.Data.SqlClient.SqlConnection’ threw an exception. —> System.TypeInitializationException: The type initializer for ‘System.Data.SqlClient.SqlConnectionFactory’ threw an exception. —> System.TypeInitializationException: The type initializer for ‘System.Data.SqlClient.SqlPerformanceCounters’ threw an exception. —> System.MethodAccessException: Attempt by method ‘System.Configuration.TypeUtil.CreateInstanceRestricted(System.Type, System.Type)’ to access method ‘System.Diagnostics.SwitchElementsCollection..ctor()’ failed. —> System.Security.SecurityException: Request failed… [truncated for readability]

//

Temporary workaround:

Until the revised update is available, you can make the following short term changes to recover from this issue:

In SQL Management Studio on the affected server, change the Permission set to Unrestricted for the MessageHandlerService Assembly. This is done in the Assembly properties via:

SQL Server -> Databases -> (Site Database) -> Programmability -> Assemblies -> MessageHandlerService ->Right-click and select Properties and highlight -> General -> Expand the “Permissions Set” drop-down -> Select Unrestricted.

When the change is made, replication between sites should automatically recover within 5-10 minutes.

Issue 2: System Center 2012 Configuration Manager

Synchronization of the software update point might fail at the end of the synchronization process. The WSyncMgr.log will have entries similar to the following:

//

error 14: SQL Error Message Failed to generate documents:A .NET Framework error occurred during execution of user-defined routine or aggregate “fnGenerateLanternDocumentsTable”: ~~System.TypeInitializationException: The type initializer for ‘System.Data.SqlClient.SqlConnection’ threw an exception. —> System.TypeInitializationException: The type initializer for ‘System.Data.SqlClient.SqlConnectionFactory’ threw an exception. —> System.TypeInitializationException: The type initializer for ‘System.Data.SqlClient.SqlPerformanceCounters’ threw an exception. —> System.MethodAccessException: Attempt by method ‘System.Configuration.TypeUtil.CreateInstanceRestricted(System.Type, System.Type)’ to access method ‘System.Diagnostics.SwitchElementsCollection..ctor()’ failed. —> System.Security.SecurityException: Request failed… [truncated for readability]

//

Temporary workaround:

Similar to Issue 1, the SMSSQLCLR assembly Permission Set can be changed to Unrestricted. From SQL Management Studio:

SQL Server -> Databases -> (Site Database) -> Programmability -> Assemblies -> SMSSQLCLR

Issue 3: Configuration Manager 2007

Client location requests for content do not return any distribution points. This occurs when the Management point and site database (either directly of via SQL replica) are on the same server. The MP_Location.log on the management point will have entries similar to the following:

//

CMPDBConnection::ExecuteSQL(): ICommandText::Execute() failed with 0x80040E14

CHandleLocationRequest::CreateReply failed with error (80040e14).

//

Temporary workaround:

Use the same procedure noted in the previous section for Issue 2.

Issue 4: System Center 2012 Configuration Manager

The component status for State System will be set to “Critical” when viewed in the administrator console.

The statesys.log file will contain entries similar to the following:

//

*** *** Unknown SQL Error!

CMessageProcessor – Encountered a non-fatal SQL error while processing

CMessageProcessor – Non-fatal error while processing <filename>.SMX

//

Temporary workaround:

Use the same procedure noted for Issue 1.

 

Uninstall

Although uninstalling KB2840628 will resolve all 4 issues, we do not recommend this action as a solution because it will leave your environment vulnerable to the security issues that the update resolves. For more information about the security vulnerabilities addressed by KB2840628, see the following Microsoft security bulletin:

https://technet.microsoft.com/en-us/security/bulletin/MS13-052
Instead of uninstalling the original update KB2840628, Microsoft recommends instead installing the latest hotfix referenced at the beginning of this article – KB 2872041.

 
Thank you,

–Configuration Manager Sustained Engineering

This posting is provided “AS IS” with no warranties and confers no rights.