SfB 2015 Server Security Update – July 2020

Today we see one of a (thankfully) rare occurrence – a security update for Skype for Business Server (both 2015 and 2019). A quick search through my blog history says our last one of those was in September 2015! (Has it really been that long?)

Otherwise it’s been two months since our last bugfix update. That was 6.0.9319.580.This is build 6.0.9319.591, and it updated only two components on my Standard Edition Front-End.

What’s Fixed?

  • Kb 4564307 Vulnerability exists when Skype for Business Server incorrectly handles OAuth token validation

This security update resolves vulnerabilities that exist when Skype for Business Server incorrectly handles OAuth token validation. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2020-1025:

An elevation of privilege vulnerability exists when Microsoft SharePoint Server and Skype for Business Server improperly handle OAuth token validation. An attacker who successfully exploited the vulnerability could bypass authentication and achieve improper access.

To exploit this vulnerability, an attacker would need to modify the token.

The update addresses the vulnerability by modifying how Microsoft SharePoint Server and Skype for Business Server validate tokens.

What’s New?

Nothing noted. No cmdlets have been added to the SfB module in this update.

What’s Changed?

Nothing noted.

Known Issues

After you install the January 2019 cumulative update 6.0.9319.537 (CU8) for Microsoft Skype for Business Server 2015, the Unified Communications Web API (UCWA) applications, such as Skype for Business on Mac, a web application for UCWA, and Skype for Business mobile clients, can’t make a call or join a meeting. For more information, please see the following article:

UCWA client cannot make a call or join a meeting after installing Skype for Business Server update 6.0.9319.537

Download

Installation

Here’s the “before” view of it going on to my Lab’s Standard Edition Front-End:

Reboot?

The installer didn’t prompt me to reboot, but I always like to give it one for good measure.

Revision History

15th July 2020: This is the initial release.

 
– G.

Leave a Reply

Your email address will not be published.

... and please just confirm for me that you're not a bot first: Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.