When can we expect HCL to give us content for this,
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 under the heading “Security Updates”?
It appears MS updated this today (7/6) to include most OS hotfixes (some still missing).
I am also waiting for it.
Do we need to install the patch manually?
normal SLA for fixlets for critical patches is 24 hours, so I am sure HCL will deliver them later today.
1 Like
They are out
1 Like
Don’t see KB5004959 yet (2008 base). If a customer is not signed up for the extended service update program for 2008, are they not entitled to the fix?
Is there something special I need to do to get these to become available in my BigFix deployment servers? Do I have to manually ‘pull’ them down or will they just ‘arrive’ on their own? If they ‘arrive’ on their own, how long does that typically take once HCL makes them available?
@jbruns2017
The Windows 2008 ESU Fixlets are in progress.
You are correct in your entitlement observation.
@Gina
If your BigFix server is in default configuration, it should gather within the hour and the new Fixlets show up in your console automatically, just like normal.
If your BigFix server is air gapped, you will need to follow your regular air-gap process to get the new Fixlets across.
If you want to hurry things along, you can stimulate a site gather in the BigFix console
Meaning, if a customer is not signed up for ESU, they are not entitled to it?
1 Like
@jbruns2017
There are two layers to this answer.
-
if you are not entitled from Microsoft with an ESU license, and the other pre-requisites from Microsoft are not met, then the patches in question will fail when you try to install them (regardless of inside or outside of BigFix)
https://docs.microsoft.com/en-us/windows-server/get-started/extended-security-updates -
You will only see the Fixlets in your BigFix Console if you are entitled to the ESU Pafching Add-on for Windows 2008 site from HCL.
https://help.hcltechsw.com/bigfix/10.0/patch/Patch/Patch_ESU/c_introduction.html
I think it would be in Microsoft’s interests to release the Win7/8/2008 out of band patches to the public, rather than only to their ESU licensees.
1 Like
There is a conference call at 1:30PM central time with MS and what I presume will be 1000’s of attendants and we or someone will need to ask that question.
1 Like
2012 and 2016 fixes are now in the MS catalog. Hopefully, HCL will be soon after.
2012
KB5004960
2016
KB5004948
MS said on the call, tough luck. No ESU, no fix. Nice of em.
1 Like
I know that’s not the answer anyone wanted, but to be fair…while this particular vulnerability has gotten a lot of attention, if you don’t have ESU patching then the systems are already two years behind on many other critical vulnerabilities.
If one is still supporting Win7/2008 without ESU patches, those systems are already a target.
1 Like
Any status on KB5004948 (2016) and KB5004960 (2012) ? I don’t seem them in Bigfix yet.
1 Like
Can’t agree with you rmore. I just seem to remember MS giving out RDP fixes a while back and no ESU was required. Hopefully this will push BU’s to get rid of the old crap.
They are published.
1 Like