CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
100.0%
This security update includes improvements and fixes that were a part of update KB4019217 (released May 16th, 2017) and resolves the following issues:
Symptom | Workaround |
---|---|
When you print a specific iframe or frame in a web page, the print output may be blank, or text is printed that resembles the following: |
404 – Not Found
(A frame is a part of a web page or browser window that displays content independent of its container. A frame can load content independently.)This problem has also been observed in both Internet Explorer versions 9 through 11, and in applications that host the IE Web Browser Control. | This issue is resolved by KB4022720.
If an iSCSI target becomes unavailable, attempts to reconnect will cause a leak. Initiating a new connection to an available target will work as expected.| Microsoft is working on a resolution and will provide an update in an upcoming release.
For more information about this issue, see the following section.
__
More information about the iSCSI issue
Windows Server 2012 R2 and Server 2016 computers that experience disconnections to iSCSI attached targets may show many different symptoms. These include, but are not limited to:
This issue is caused by a locking issue on Windows Server 2012 R2 and Windows Server 2016 RS1 computers, causing connectivity issues to the iSCSI targets. The issue can occur after installing any of the following updates:Windows Server 2012 R2Release date | KB | Article title |
---|---|---|
May 16, 2017 | KB 4015553 | April 18, 2017—KB4015553 (Preview of Monthly Rollup) |
May 9, 2017 | KB 4019215 | May 9, 2017—KB4019215 (Monthly Rollup) |
May 9, 2017 | KB 4019213 | May 9, 2017—KB4019213 (Security-only update) |
April 18, 2017 | KB 4015553 | April 18, 2017—KB4015553 (Preview of Monthly Rollup) |
April 11, 2017 | KB 4015550 | April 11, 2017—KB4015550 (Monthly Rollup) |
April 11, 2017 | KB 4015547 | April 11, 2017—KB4015547 (Security-only update) |
March 21, 2017 | KB 4012219 | March 2017 Preview of Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2 |
**Windows Server 2016 RTM (RS1)**Release date | KB | Article title |
— | — | — |
May 16, 2017 | KB 4023680 | May 26, 2017—KB4023680 (OS Build 14393.1230) |
May 9, 2017 | KB 4019472 | May 9, 2017—KB4019472 (OS Build 14393.1198) |
April 11, 2017 | KB 4015217 | April 11, 2017—KB4015217 (OS Build 14393.1066 and 14393.1083) |
Verification
c:\windows\system32\drivers\msiscsi.sys
The version that will expose this behavior is 6.3.9600.18624 for Windows Server 2012 R2 and version 10.0.14393.1066 for Windows Server 2016.
* The following events are logged in the System log:Event source | ID | Text |
---|---|---|
iScsiPrt | 34 | A connection to the target was lost, but the Initiator successfully reconnected to the target. Dump data contains the target name. |
iScsiPrt | 39 | The Initiator sent a task management command to reset the target. The target name is given in the dump data. |
iScsiPrt | 9 | Target did not respond in time for a SCSI request. The CDB is given in the dump data. |
Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Sort Count
Or, from an administrative CMD prompt, run the following NETSTAT command together with the “Q” switch. This shows “bound” ports that are no longer connected:
NETSTAT –ANOQ
Focus on ports that are owned by the SYSTEM process.
For the three previous points, anything more than 12,000 should be considered suspect. If iSCSI targets are present in the computer, there is high probability that the issue will occur.
Resolution
If the event logs indicate that many reconnections are occurring, work with your iSCSI and network fabric vendor to help diagnose and correct the reason for the failure to maintain connections to iSCSI targets. Make sure that iSCSI targets can be accessed over the current network fabric. Install updated fixes when they become available. This article will be updated with the specific KB article number of the fix to install when it becomes available.
Note We do not recommend that you uninstall any of the March, April, May, or June security rollups. Doing so will expose the computers to known security exploits and other bugs that are mitigated by monthly updates. We recommend that you first work with iSCSI target and network vendors to resolve the connectivity issues that are triggering target reconnects.
How to get this updateThis update will be downloaded and installed automatically from Windows Update. To get the stand-alone package for this update, go to the Microsoft Update Catalog website.
Installation steps for systems using AMD Carrizo DDR4 processor or Windows Server 2012 R2 systems using Xeon E3V6 processor:
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
100.0%