Today we see one of a (thankfully) rare occurrence – a security update for Skype for Business Server (both 2015 and 2019). A quick search through my blog history says our last one of those was for SfBS 2015 back in September 2015! (Has it really been that long?)
Otherwise it’s been four months since our last bugfix update, to CU2 HF1 (7.0.2046.216). This is build 7.0.2046.236 and it updated only three components on my Standard Edition Front-End.
At the time of writing this post (July 15th), the main kb article hasn’t been fully updated. Its “Improvements and fixes in the July 2020 update” still lists the content from the March update.
If you drill further into the listed fixes below however, you do find yourself at the same OAuth related security fix as SfBS 2015, as per my previous post today.
- Kb 4564309 Vulnerability exists when Skype for Business Server incorrectly handles OAuth token validation
This security update resolves vulnerabilities that exist when Skype for Business Server incorrectly handles OAuth token validation. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2020-1025:
An elevation of privilege vulnerability exists when Microsoft SharePoint Server and Skype for Business Server improperly handle OAuth token validation. An attacker who successfully exploited the vulnerability could bypass authentication and achieve improper access.
To exploit this vulnerability, an attacker would need to modify the token.
The update addresses the vulnerability by modifying how Microsoft SharePoint Server and Skype for Business Server validate tokens.
No cmdlets have been added to the SfB module in this update.
Here’s the “before” view of it going on to my Lab’s Standard Edition Front-End:
The installer didn’t prompt me to reboot, but I always like to give it one for good measure.
15th July 2020: This is the initial release.
16th July 2020: Updated the download links.