FW: Server problems caused by the application of a Microsoft Secu rity Patch
From: Firstname Lastname (Cote.Marc_at_IC.GC.CA)
Date: 10/29/03
- Previous message: Russ: "MajorRev: Microsoft Security Bulletin MS03-043 - Buffer Overrun in Messenger Service Could Allow Code Execution (828035)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Oct 2003 16:39:34 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Russ:
This was forwarded to me by one of our users. I am wondering if
anyone else has run into any issues with the latest round of security
patches and SAP.
Microsoft Security patches cause SAP outage for our Production Instance.
The application of Patch KB828750 caused us to lose a complete day of
productivity on Friday 24 Oct on our SAP Production System. This patch
caused a Shared memory problem on two SAP Application Servers , to the point
that they could no longer function. The application
of one or more of Security patches caused problems with driver CPQDAEN.SYS
which could not be resolved by COMPAQ H/W engineer who was
called
in. Two other problems still persist which may or may not be the result of
the application of the Security patches. One immediate question is whether
any know problems exist for the patches in question, and whether any
solution is available. Below is the sequence of events followed on Friday
Oct 24 and Monday 27 Oct'03.
1. Windows Security Patches KB828750, KB825119, KB828035, KB826232,
KB824105, KB823182, KB824141 823559, plus Security Update Feb/13/2002
(MSXML
2.6), 816093, 814078, and 823718 (note that the last 4 do NOT SHOW WITHIN
ADD/REMOVE programs from Control Panel) were applied to ######, #####
and ##### on morning of Friday 24 Oct 2003, and all 3 systems rebooted.
These patches had already been in place on
##### and #####, since 16
Oct 2003, with no obvious side effects.
2. On reboot of ####,#### and ##### we could not logon to SAP
through the Application Servers APP1/2, but could SAPlogon to
Central/Database Instance on #### host. Having logged to ##### we
could not "see" #### or #####. We examined the Windows 2000 event log.
An error was found in the Event log, stating that the device associated
with
SCSI device driver CPQDAEN.SYS had failed to initialize.
Removing 8 of the applied patches on #####(those that could be removed)
did not resolve the problem. Assuming we had a potential H/W problem, a
call
was place to COMPAQ A debate then ensued
as to whether this should be treated as a H/W or S/W problem, a critical
issue since the contract is for H/W. COMPAQ agreed to accept the call as a
H/W issue. The COMPAQ Engineer arrived at 14:12 PM. The Engineer discovered
an anomaly when viewing the configured Array controllers (slots 10 4250ES,
and 11 5300) from Windows using the COMPAQ Array Configurator Tool - only
one of the two could be seen. Both slots were visible when using the same
Tool off-line, loaded in memory from a COMPAQ Support CDROM. Replacing
slot
11 Controller (5300) for the external shelf, upgrading the Windows Tool and
associated Drivers had no effect. The Engineer concluded that the problem
lay with Windows, in all probability, and had done all he could do, and
left
between 6 and 7:00PM. The CPQDAEN.SYS driver was disabled, since it seemed
to be associated only with the COMPAQ Event Notifyer, which seem to be
reporting a "missing" controller that was in reality present.
3. Attention was then diverted to the Application Servers #### and
#####, on which SAP was reporting severe shared memory problems. It had
been assumed initially that the cause could have access failure to the
configuration files located on ##### because of problem reported above.
The first 8 patches listed in Step 1 were removed from both Application
Servers, and the shared memory problem cleared at once when the program
associated with Patch KB828750 had been removed - "October 2003, Cumulative
Patch for Internet Explorer 5.01 for Windows 2000 Service Pack 4". The same
patch was also
Removed from #####.
At this point in time ALL the Security patches listed in Step 1 were still
in effect on #####, with the exception of KN828750. None of the
removable
8 were in place on ######.
5. Two other errors were discovered on Monday Oct 27, which may or may not
be related to the patch application effort. ##### cannot connect to
##### through /oss1 transaction, but #### and #### can. The
second
problem relates to the failure of the CALL SYSTEM function with ABAP
programs called on SAPPRD01 through /se38. The CALL is the interface to
Windows DOS commands, FTP scripts, etc. The same programs WORK when invoked
from SAPPRA1/2 using /se38.
6. All the remaining 8 removable patches listed in Step 1 were removed
from
SAP CI/database Server ##### on Monday 27 October at 19:30 PM, but the 2
problems identified in Step 5 remain. These two problems have been reported
to SAP, but as of yet no response has been received.
Marc Cote
Systems Manager
-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, *** covering, and bureaucracy are threatening to derail any
chance of making progress.
-----
