Skip to main content

Notifications

Announcements

No record found.

On-Premises Dynamics 365 Business Central and Dynamics NAV vs CVE-2022-41127: all you need to know

Below you will find a recap related to the security bulletin:

 

CVE-2022-41127 - Security Update Guide - Microsoft - Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability

 

and action to take for all Dynamics 365 Business Central and Dynamics NAV versions on-premises.

 

DYNAMICS 365 BUSINESS CENTRAL

 

Regarding Dynamics 365 Business Central, you can follow the simple table provided below. The minor version represents the earlies build where the issue has been fixed. For versions out of support in modern lifecycle, DVD have been refreshed with a new one by December 2022 that contains the platform changes to resolve the security problem.

 

Dynamics 365 Business Central Major Version

Lifecycle Type

Supportability

Minor Version

Update Provided

KB Article

Download Link

2022 Wave 2 (21.x)

Modern

Mainstream

21.2

Dec-22

Download

Download

2022 Wave 1 (20.x)

Modern

Mainstream

20.8

Dec-22

Download

Download

2021 Wave 2 (19.x)

Modern

Mainstream

19.15

Dec-22

Download

Download

2021 Wave 1 (18.x)

Modern

Out of Support

18.18

Dec-22

Download

Download

2020 Wave 2 (17.x)

Modern

Out of Support

17.17

Dec-22

Download

Download

2020 Wave 1 (16.x)

Modern

Out of Support

16.19

Dec-22

Download

Download

October 2019 (15.x)

Modern

Out of Support

15.17

Dec-22

Download

Download

April 2019 (14.x)

Fixed

Mainstream

14.43

Dec-22

Download

Download

October 2018 (13.x)

Fixed

Out of Support

N/A

N/A

N/A

N/A

 

DYNAMICS NAV

 

NAV 2018 (11.x) has been found affected.

This version was in mainstream support when the vulnerability was discovered.

Platform has been patched and security problem is resolved by deploying December 2022 cumulative update or higher:

Cumulative Update 59 for Microsoft Dynamics NAV 2018 (Build 49497) - Microsoft Support

 

 

NAV 2017 (10.0) has been found affected.

This version is out of mainstream support but still in extended support.

See more at this link: Released cumulative updates for Microsoft Dynamics NAV 2017 - Microsoft Support

Cumulative updates for Microsoft Dynamics NAV 2017

The update (build 30712) that was released on December 13, 2022, fixes a remote code execution vulnerability. For more information, see CVE-2022-41127.

W1 and all localized version of this build can be downloaded at the links provided in this blog post: (+) CVE-2022-41127: Download localized DVDs for Dynamics NAV 2016 and NAV 2017 - Dynamics 365 Business Central Community

 

 

Dynamics NAV 2016 (9.0) has been found affected.

This version is out of mainstream support but still in extended support.

See more at this link: Released Cumulative Updates for Microsoft Dynamics NAV 2016 - Microsoft Support

Cumulative Updates for Microsoft Dynamics NAV 2016

The update (build 52203) that was released on December 13, 2022, fixes a remote code execution vulnerability. For more information, see CVE-2022-41127.

W1 and all localized version of this build can be downloaded at the links provided in this blog post: (+) CVE-2022-41127: Download localized DVDs for Dynamics NAV 2016 and NAV 2017 - Dynamics 365 Business Central Community

 

 

Dynamics NAV 2015 (8.0) has been found affected.

This version is out of mainstream support but still in extended support.

See more at this link: Released Cumulative Updates for Microsoft Dynamics NAV 2015 - Microsoft Support

Cumulative Updates for Microsoft Dynamics NAV 2015

The update (build 52204) that was released on January 23, 2023, fixes a remote code execution vulnerability. For more information, see CVE-2022-41127.

W1 and all localized version of this build can be downloaded at the links provided in this blog post: (+) CVE-2022-41127: Download localized DVDs for Dynamics NAV 2015 - Dynamics 365 Business Central Community

 

 

Dynamics NAV 2013 R2 (7.1) has been found affected.

This investigation has been done on best effort by security team since NAV 2013 is currently out of support (end of extended support was 10th January 2023).

On best effort, product group has provided a W1 DVD that contains the platform changes to secure the bulletin.

See more at this link: Released Cumulative Updates for Microsoft Dynamics NAV 2013 R2 - Microsoft Support and take note of the disclaimer.

Cumulative Updates for Microsoft Dynamics NAV 2013 R2

The update (build 52207) that was released on January 27, 2023, fixes a remote code execution vulnerability. For more information, see CVE-2022-41127.

Note: Microsoft only provides W1 DVD for this out of support version. If you are in need to deploy the platform files in a localized environment, you should refer to the following post:

How to get back the 'hotfix directories' from NAV 2015 Cumulative Update 1 - Microsoft Dynamics 365 Blog

However, we strongly recommend you upgrade your environment to a later supported version.

 

 

Dynamics NAV 2013 (7.0) has not been found affected.

This investigation has been done on best effort by security team since NAV 2013 is currently out of support (end of extended support was 10th January 2023).

 

 

 

FIXED LIFECYCLE, OUT OF SUPPORT VERSIONS

 

Dynamics 365 Business Central October 2018 release (13.x), NAV 2009 (RTM/SP1/R2) and backwards

These versions were out of both mainstream and extended support so that Microsoft is not obliged to perform any security checks against these.

The position from Microsoft is that they could potentially be affected hence it is warmly recommended to upgrade them to a patched supported version as soon as possible.

Comments

*This post is locked for comments