After applying .NET security fixes released in September 2018 to address CVE-2018-8421 SharePoint workflows stop working


After applying .NET Security Only patch to resolve CVE-2018-8421 (Remote Code Execution Vulnerability), all SharePoint out of the box Workflow fails to execute and the log will show an error like this:

09/13/2018 01:59:07.57 w3wp.exe (0x1868) 0x22FC SharePoint Foundation Workflow Infrastructure 72fs Unexpected RunWorkflow: 

Microsoft.SharePoint.SPException: <Error>
<CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." />
<CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." />
<CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." />
<CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." />
<CompilerError Line="-1" Column="-1"…

For more details about the issue, a technical explanation and the solution, please have a look at the blog post created by my colleauge Rodney Viana:

Comments (11)

  1. Luigi Bruno says:

    Are you aware of any potential impact on the custom workflows running on the Workflow Manager?

    1. Hi Luigi,
      it affects all Workflows using the SharePoint 2010 engine. Of course also those created with SharePoint Designer.
      Cheers,
      Stefan

  2. Sibylla_B says:

    Hello Stefan,
    is this error solved by one of the updates released yesterday?
    Thanks!
    Sibylla

    PS: Thank you for blogging all these information around updates! Unfortunately the (very good) rating for your blog posts does not work for me.

    1. Hi Sibylla,
      no the October CU does not include fixes for this.
      It is recommended to apply the script in the linked article to fix this.
      Cheers,
      Stefan

      1. Sibylla_B says:

        Thanks for the quick answer, Stefan!
        Do you know if it is planned to have this solved by a PU / CU in the future? (or another .NET update?)
        Sibylla

        1. Hi Sibylla,
          it is planned to release a fix – but this fix will be identical with the web.config changes listed in the article.
          Cheers,
          Stefan

          1. Sibylla_B says:

            Hi Stefan,
            thanks for all these information.
            Have a good day
            Sibylla

  3. SteveAFC says:

    Hello Stefan,

    If we apply the changes to our web.config and then apply an older CU (For example June 2018), will the CU revert the web.config changes?

    If so, does this mean that we would need to apply the web.config change after every CU until MSFT releases it’s own fix in a future CU?

    Thanks.

    1. Hi Steve,
      installing an older CU should not revert these changes.
      Cheers,
      Stefan

Skip to main content