Showing results for 
Search instead for 
Did you mean: 
Create Post

Update required for all Patch Manager installations before installing 1024-bit RSA Key Invalidation Update (MS KB2661254)

Level 17

For all Patch Manager customers with active maintenance, we have posted an update to your customer portal and to the product download page. This update, v1.73, is designed to ensure continued functionality of all Patch Manager installations, which will be adversely affected by the installation of the Microsoft update KB2661254. KB2661254 is scheduled for release on Patch Tuesday - August 14, 2012.

KB2661254 will invalidate all RSA-based certificates with key lengths of less than 1024 bits and has been discussed in several Microsoft postings of late, most notably the following:

How does Microsoft KB2661254 affect my Patch Manager installation?

This affects all existing Patch Manager installations, as all versions are currently based on 512-bit key lengths. Certificates are used in Patch Manager to authenticate console-to-server connections, as well as to authenticate server-to-server connections when additional Patch Manager servers have been deployed in the environment. Patch Manager v1.73 replaces the existing 512-bit certificate with 2048-bit certificates.

What do I need to do to address this issue?

You should defer deploying KB2661254 to your Patch Manager servers and console systems until they have been successfully updated to Patch Manager v1.73.

The Patch Manager v1.73 update must be applied to your Primary Application Server (PAS) first, and then to any additional servers or console installations. Once the v1.73 update is applied to the PAS, and until the v1.73 update is applied to the additional servers, the entire Patch Manager environment will be offline, as the additional servers will be unable to communicate with the updated PAS.

Furthermore, until the Patch Manager v1.73 update is applied to the remote consoles, those consoles will be unable to connect to any Patch Manager v1.73 Application Server.

To be specific -- any Patch Manager server or console prior to v1.73 cannot communicate with a Patch Manager server upgraded to v1.73.

We are providing this update as soon as we were able to complete testing so that you will have sufficient time to plan and implement this update prior to deploying KB2661254.

In addition to this certificate subsystem update, Patch Manager v1.73 also includes a roll-up of a fix we released in May that changes how we authenticate with remote systems using credentials. This will provide more reliable authentication with Patch Manager clients, and eliminate many issues that were previously encountered as a result of User Account Control (UAC) interference.

Level 17

UPDATE: Microsoft did not release this update to WSUS (or WU/MU) today. Instead the update was released to the Microsoft Download Center and to the Microsoft Catalog only.

It will be released to Microsoft Update (and, by extension, WSUS) in October, 2012.

For those that do want to deploy this update earlier, you can use the WSUS Import Updates feature to import the update from the Microsoft Catalog.

Level 10

I think there is a typo in the article. After the section labeled What do I need to do to address this issue, it lists KB2661264. Should that he KBB2661254?



Level 17

Good catch, Jay. Thank you. I have corrected the original article.

About the Author
I'm a Head Geek and technical product marketing manager at SolarWinds. I wrote my first computer program in RPG-II in 1974 to calculate quadratic equations and tested it on some spare weekend cycles on an IBM System/3 that I ‘borrowed’ from my father’s employer. After that I dabbled, studied, and actually programmed in just about every language known for the past 40 years; worked on a half-dozen different variants of Unix on 3B2s, RS6000s, HP9000s, Sparc workstations, and Intel systems; connected to CompuServe on a 300 baud modem; ran a FidoNet BBS on OS/2 on a 9600 bps modem; and started working with Windows when Windows NT4 was still the latest operating system. Along the way, I did a few years in database programming and database administration. I installed some of the first ADSL and SDSL Internet circuits in Texas, and then migrated into full-time Windows systems management, which had a lot to do with my interest in SUS and WSUS 10 years ago. This ultimately led me to EminentWare in 2009, and SolarWinds three years later.