Highlighted
Moderator Moderator
Moderator

Re: Workflow Manager - impacted by Microsoft IE scripting engine memory corruption?

Hello @Ralph_Crowley  -

Sorry for any delays in my reply, I wanted to run this not only by our Workflow Manager (WFM) development team for their feedback but also by our in-house Secunia Research team to get their security-focused point of view.

The proposed workaround provided by Microsoft is only temporary measure.  I can confirm that this will impact WFM loading correctly and its general usability.

However, the workaround also impacts other websites from working correctly and also affects several Windows local services including Windows Media Player breaking, USB Local printers stop working, Microsoft Print to PDF breaks, etc.

Based on the recommendations of our security researchers, we do not recommend utilizing this workaround because of the impact it has on other services; we do not consider this a fix and, at the time of this posting, the security issue is still unresolved from Microsoft (for those with access to Flexera Software Vulnerability Research, you can find this referenced in SA93033).

However, we recognize that it's ultimately up to each organization using various affected products, including Workflow Manager, to weight the the cost of not having access to these affected sites and services vs. the risk of leaving this DLL not locked down and to decide what is most important for that organization.

We expect that Microsoft will release a fix later this month in their Patch Tuesday security patch release that will address the current security issue and allow the full use of Windows services and websites, including WFM to function normally.

Let us know if you have any further questions.  Thank you for bringing this up in Community and making other customers aware of this issue.

Expert Flexeran on AdminStudio, Workflow Manager, and Software Vulnerability Manager / Research
If I've answered your question, please mark my response as "Accept as Solution" to help others find answers. Thanks!
Tags (1)
0 Kudos
Highlighted
Moderator Moderator
Moderator

Re: Workflow Manager - impacted by Microsoft IE scripting engine memory corruption?

As expected, Microsoft release a fix for this IE vulnerability as part of today's Patch Tuesday release. More information from Microsoft here:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0674
Expert Flexeran on AdminStudio, Workflow Manager, and Software Vulnerability Manager / Research
If I've answered your question, please mark my response as "Accept as Solution" to help others find answers. Thanks!
0 Kudos