The Exchange product group released November updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that were reported end of September. More on those in an earlier post.
Note: You can keep the current URLScan mitigations in-place, and remove them after installing these security updates at your convenience. The recommendation to disable Remote PowerShell for non-admins is upheld, but this is best practice regardless.
The vulnerabilities addressed in these Security Updates are:
|CVE-2022-41040||Elevation of Privilege||Critical||CVSS:3.1 8.8 / 7.9|
|CVE-2022-41082||Elevation of Privilege||Important||CVSS:3.1 8.8 / 8.3|
|CVE-2022-41078||Elevation of Privilege||Important||CVSS:3.1 8.0 / 7.0|
|CVE-2022-41123||Elevation of Privilege||Important||CVSS:3.1 7.8 / 6.8|
|CVE-2022-41079||Elevation of Privilege||Important||CVSS:3.1 8.0 / 7.0|
|CVE-2022-41080||Elevation of Privilege||Critical||CVSS:3.1 8.8 / 7.7|
The following Security Updates address these vulnerability for the Exchange builds mentioned, with the exception of CVE-2022-41123 which does not apply to Exchange Server 2013:
|Exchange 2019 CU12||Download||15.2.1118.20||KB5019758||KB5019077|
|Exchange 2019 CU11||Download||15.2.986.36||KB5019758||KB5019077|
|Exchange 2016 CU23||Download||15.1.2507.16||KB5019758||KB5019077|
|Exchange 2016 CU22||Download||15.1.2375.37||KB5019758||KB5019077|
|Exchange 2013 CU23||Download||15.0.1497.44||KB5019758||KB5019076|
In case you missed it, per the Security Updates of August, you can enable Windows Extended Protection for increased protection against certain vulnerabilities. More information this process and its requirements can be found in the post on the August updates here.
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.