Despite the quarterly wave of Cumulative Updates being imminent, CVE-2017-11932 and ADV170023 warranted a quick release of Security Update KB4045655 for current versions of Exchange 2013 and Exchange 2016.
This security update fixes a vulnerability in OWA, which could allow elevation of privilege or spoofing if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.
You can download the security updates here:
- Exchange Server 2016 CU7 (v15.1.1261.37)
- Exchange Server 2016 CU6 (v15.1.1034.33)
- Exchange Server 2013 CU18 (v15.0.1347.3)
- Exchange Server 2013 CU17 (v15.0.1320.7)
Be advised the update may leave your Exchange services in a disabled state, despite installing correctly. In those cases, reconfigure those services to Automatic and start them manually.
Also note that this security update overrides an earlier update, KB4036108, which might cause Calendar Sharing issues when split DNS is used.
Security updates are Cumulative Update level specific. Be advised that updates may carry the same name, e.g. the update for CU7 and the one for CU6 are both Exchange2016-KB4045655-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2016-KB4045655-x64-en-CU7.msp.
As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.
This states that this isn’t a new patch, rather it’s fixing and then removing a security fix due to side effects from the prior update. “This security update was released to address a known issue in security update 4036108 in which customers that are using split DNS may encounter problems that affect Calendar Sharing. This update removes the fix for this vulnerability. ”
So this update removes a security patch?
This fix replaces KB4036108, which is not available anymore.KB4036108 introduced a potential issue (for DNS). This new fix includes a fix for that side-effect (or doesn’t introduce it, depending on how you want to read it), apart from addressing the vulnerability.
I’ve had two EX16 servers on Server 2016 fail this update and leave the Exchange server completely unusable. Had to restore them from backup.
Could you perhaps elaborate a bit more? What were the symptoms?
We found the issue that mailflow was down. Logged into the server and found that the shell wouldn’t connect or the ECP didn’t work. All Exchange service were disabled and none would start. Tried enabling all the services and restarting but that didn’t work. Opened windows update history and found the update had failed. So my opinion is the update failed part way and left the Exchange server unusable. Tried to manually install the update, failed. So tried to run the CU7 update, failed. So my only option was backup restore. Even call Microsoft for support and stumped their tier one support group and it was elevated but we could wait for them to call back.
If we go straight to Exchange Server 2016 CU8 does it include these security patches?
This can be a fair resource (shameless plug) – https://www.computerworld.com/article/3243100/microsoft-windows/microsoft-confirms-stalled-downloads-bogus-errors-in-win10-fcu-update-kb-4054517.html
Thanks for this article and thread!
This is a quick workaround as well https://info.summit7systems.com/blog/exchange-services-patch-fix-kb4045655