in News & Events

Update on DCOM Hardening Patches

Dear Accruent Customer,

On September 12, 2022, we sent you a message on critical security changes concerning the Windows Distributed Component Object Model (DCOM), a.k.a “DCOM Hardening”. See also the article by Microsoft regarding CVE-2021-26414 which you can find here.

Since our previous message, Microsoft, in response to the feedback from customers, has published an additional Windows “DCOM client-side” patch on November 8, 2022 which eliminates the need for users of DCOM applications to deploy application specific patches to mitigate the effects of the DCOM hardening.

Our engineering teams have analyzed this additional patch and performed testing of the Meridian functionality in combination with it. This analysis and testing have shown that this DCOM client-side patch performs the same function as the Meridian patches we were preparing, namely raising the authentication level of DCOM requests made by the Meridian clients.

Based on this result, we can inform you that with this additional Windows patch in place, patching of Meridian is no longer required in order to continue operations when the DCOM hardening (which becomes mandatory on March 14, 2023) takes effect.

To guarantee continued operation of Meridian, the Windows patch must be installed on all machines which in terms of a DCOM connection are clients of the Meridian EDM Server or the Meridian License Server. Please note that the Meridian PowerWeb IIS application and the Enterprise Server are clients of the EDM Server, and the EDM Server is a client of the license server. In addition to all workstations running Meridian clients, the servers hosting the mentioned components must also have this patch installed.

You do not need to explicitly configure any registry keys to control the Windows DCOM client-side patch. The default installation will allow Meridian clients to continue working when the hardening takes effect. If you do set the registry key RaiseActivationAuthenticationLevel related to this patch, you must set the value to 2.

The Windows DCOM client-side patch works for all Meridian clients of all versions of Meridian Server.

If you want to test the functioning of this patch, you can perform the following actions:Make sure the Windows patch of June 14, 2022 is installed on the machines hosting the EDM Server and the License Server.

  • On these machines, set the registry key RequireIntegrityActivationAuthenticationLevel to the value 1.
  • Make sure the Windows DCOM client-side patch of November 8, 2022 is installed on server and client machines.
  • On these machines, either omit the registry key RaiseActivationAuthenticationLevel or set the value to 2.
  • After patch installation or changing one of the mentioned registry keys, restart the machine.
  • Test connectivity of the client to the EDM Server and License Server by opening a Vault.

Should you feel you need additional assistance regarding this email, please use the following guidance on how best to contact us.

  • For Direct Meridian Customers: Please utilize the Customer Support Portal to log a product support ticket. If you are serviced by one of our Meridian Partners, feel free to reach out directly to them for support.
  • For Meridian Partners: Please communicate this information to your customers. If you have any questions,  you can reach the Meridian Support team by logging a case via Partner Portal.