Workflow Manager - impacted by Microsoft IE scripting engine memory corruption?

Ralph_Crowley · ‎Jan 24, 2020

Have anyone else who uses WFM applied the Microsoft patch for the IE scripting engine memory corruption vulnerability & noticed any impacts? In our environment we can no longer access any of our WFM instances (production or dev) since applying a fix for this JScript vulernablity. We've opened a support case, but curious if others have noticed any issues. Thanks

Ralph_Crowley · ‎Jan 24, 2020

Confirmed if changing permissions on the jscript.dll as advised by Microsoft will break WFM.:

Ralph_Crowley · ‎Jan 24, 2020

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001

moconn · ‎Jan 27, 2020

Hello Ralph,
Have you tried accessing Workflow Manager in any other browsers in your environment? The product's UI was updated a few releases ago and supports any major browser including Chrome and Firefox.

Expert Flexeran on AdminStudio, Workflow Manager, and Software Vulnerability Manager / Research
If I've answered your question, please mark my response as "Accept as Solution" to help others find answers. Thanks!

Ralph_Crowley · ‎Jan 29, 2020

Yes, the change actually blocks all browser access to WFM (chrome, edge, etc), along with IE. The change updates permissions on the Jscript.dll file to deny access to everyone, & apparently this is not just IE specific.

moconn · ‎Feb 05, 2020

Hello @Ralph_Crowley -

Sorry for any delays in my reply, I wanted to run this not only by our Workflow Manager (WFM) development team for their feedback but also by our in-house Secunia Research team to get their security-focused point of view.

The proposed workaround provided by Microsoft is only temporary measure. I can confirm that this will impact WFM loading correctly and its general usability.

However, the workaround also impacts other websites from working correctly and also affects several Windows local services including Windows Media Player breaking, USB Local printers stop working, Microsoft Print to PDF breaks, etc.

Based on the recommendations of our security researchers, we do not recommend utilizing this workaround because of the impact it has on other services; we do not consider this a fix and, at the time of this posting, the security issue is still unresolved from Microsoft (for those with access to Flexera Software Vulnerability Research, you can find this referenced in SA93033).

However, we recognize that it's ultimately up to each organization using various affected products, including Workflow Manager, to weight the the cost of not having access to these affected sites and services vs. the risk of leaving this DLL not locked down and to decide what is most important for that organization.

We expect that Microsoft will release a fix later this month in their Patch Tuesday security patch release that will address the current security issue and allow the full use of Windows services and websites, including WFM to function normally.

Let us know if you have any further questions. Thank you for bringing this up in Community and making other customers aware of this issue.

Expert Flexeran on AdminStudio, Workflow Manager, and Software Vulnerability Manager / Research
If I've answered your question, please mark my response as "Accept as Solution" to help others find answers. Thanks!

moconn · ‎Feb 12, 2020

As expected, Microsoft release a fix for this IE vulnerability as part of today's Patch Tuesday release. More information from Microsoft here:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0674

Expert Flexeran on AdminStudio, Workflow Manager, and Software Vulnerability Manager / Research
If I've answered your question, please mark my response as "Accept as Solution" to help others find answers. Thanks!