The Exchange product group released Augustus updates for Exchange Server 2013, 2016 and 2019.
Note that per the previous May cycle, Security Updates will be packaged in an executable wrapper. This should trigger the running elevated prompt, thus preventing any potential issues when admins simply double-click the .MSP file. More about the new package format, options for logging and command-line switches are mentioned in an article dedicated to the change of distribution method here.
Windows Extended Protection
Special attention in this cycle for Windows Extended Protection, which needs to be enabled to address certain vulnerabilities. WEP is ONLY supported for specific versions of Exchange server – see the documentation for details regarding requirements and known issues. TLDR; – list might change over time, consult the pages linked earlier:
- Supported on Exchange 2013 CU23, Exchange 2016 CU22 and Exchange Server 2019 CU11 or later, with the August 2022 Security Updates installed.
- Cannot be enabled on Exchange Server 2013 servers hosting Public Folders in co-existence with Exchange 2016/2019.
- Cannot be enabled on Exchange 2016 CU22 or Exchange 2019 CU11 or older hosting a Public Folder Hierarchy.
- Does not work with hybrid servers using Modern Hybrid configuration.
- SSL Offloading scenarios are currently not supported.
- Consistent TLS configuration is required across all Exchange servers.
- Known Issues
- Retention Policies using action Move to Archive stops working.
- In Exchange 2013, the MAPI over HTTP probe OutlookMapiHttpCtpProbe might show FAILED.
To perform prerequisite checks and implement WEP, a supporting script ExchangeExtendedProtectionManagement.ps1 has been published. Since enabling WEP impacts how clients and Exchange server communicates, it is highly recommended to test this first on your specific configuration, especially with 3rd party products, before enabling it in production.
So, on with the security updates. The vulnerabilities addressed in the Security Updates for August are:
|CVE-2022-21979||Information Disclosure||Important||CVSS:3.1 4.8 / 4.2|
|CVE-2022-21980||Elevation of Privilege||Critical||CVSS:3.1 8.0 / 7.0|
|CVE-2022-24477||Elevation of Privilege||Critical||CVSS:3.1 8.0 / 7.0|
|CVE-2022-24516||Elevation of Privilege||Critical||CVSS:3.1 8.0 / 7.0|
|CVE-2022-30134||Elevation of Privilege||Important||CVSS:3.1 7.6 / 6.6|
|CVE-2022-34692||Information Disclosure||Important||CVSS:3.1 5.3 / 4.6|
The following Security Updates address this vulnerability:
|Exchange 2019 CU12||Download||15.2.1118.12||KB5015322||KB5014261|
|Exchange 2019 CU11||Download||15.2.986.29||KB5015322||KB5014261|
|Exchange 2016 CU23||Download||15.1.2507.12||KB5015322||KB5014261|
|Exchange 2016 CU22||Download||15.1.2375.31||KB5015322||KB5014261|
|Exchange 2013 CU23||Download||15.0.1497.40||KB5015321||KB5014260|
These Security Updates also fix the following issues:
- KB5017261 Start-DatabaseAvailabilityGroup fails with BlockedDeserializeTypeException
- KB5017430 E-Discovery search fails in Exchange Online
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.