Note (18sep2016): Be advised that there are reports on the security fix for Exchange 2016 CU2 leaving the system in a suboptimal state, like not re-enabling services. For now, the reports contain possible workarounds for those situations
It seems every once in a while, vulnerabilities are discovered in the Oracle libraries, licensed by Microsoft for Microsoft Exchange. For september, it is that time again, with a potential issue which allows remote code execution by means of a attachment which is to be handled by the library.
- parsing certain unstructured file formats.
- handling open redirect requests.
- handling Microsoft Outlook meeting invitation requests.
Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security update for the following product levels:
- Exchange 2007 SP3
Rollup 21 for Exchange Server 2007 SP3 (KB3184711), v8.3.485.1
- Exchange 2010 SP3
Rollup 15 For Exchange 2010 SP3 (KB3184728), v14.3.319.2
- Exchange 2013 SP1
Security Update For Exchange Server 2013 SP1 (KB3184736), v15.0.847.50
- Exchange 2013 CU12
Security Update For Exchange Server 2013 CU12 (KB3184736), v15.0.1178.9
- Exchange 2013 CU13
Security Update For Exchange Server 2013 CU13 (KB3184736), v15.0.1210.6
- Exchange 2016 CU1
Security Update For Exchange Server 2016 CU1 (KB3184736), v15.1.396.37
- Exchange 2016 CU2
Security Update For Exchange Server 2016 CU2 (KB3184736), v15.1.466.37
Note that Rollups only address the vulnerabilities mentioned in security bulletin, and this bulletin replaces updates the rollups and security updates of MS16-079.
The issue is deemed critical, which means organizations are advised the implement the security fix at their earliest convenience. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.
The Exchange Versions, Builds and Dates page has been updated with the above information as well.