A quick heads-up for those that missed it that earlier this month, as Microsoft released security updates for supported releases of Exchange Server 2016 and 2013 as well as Exchange Server 2010.
The security updates patch issues as reported in the following Microsoft Common Vulnerabilities and Exposures:
- CVE-2018-8151 – Microsoft Exchange Memory Corruption Vulnerability
- CVE-2018-8154 – Microsoft Exchange Memory Corruption Vulnerability
- CVE-2018-8159 – Microsoft Exchange Elevation of Privilege Vulnerability
- CVE-2018-8153 – Microsoft Exchange Spoofing Vulnerability
- CVE-2018-8152 – Microsoft Exchange Server Elevation of Privilege Vulnerability
You can download the security updates here:
- Exchange Server 2016 CU9 (v15.1.1466.8, KB4092041)
- Exchange Server 2016 CU8 (v15.1.1415.7, KB4092041)
- Exchange Server 2013 CU20 (v15.0.1367.6, KB4092041)
- Exchange Server 2013 CU19 (v15.0.1365.7, KB4092041)
- Exchange Server 2013 Service Pack 1 (v15.0.847.62, KB4092041)
- Exchange Server 2010 SP3 Rollup 21 (v14.3.399.2, KB4091243)
You may notice that Exchange 2013 Service Pack 1 is still in there, but this is because Cumulative Updates and Service Packs are on a different servicing model. Every Cumulative Update is supported for three months after the release of the next Cumulative Update; Exchange 2013 SP1 entered extended support early April, and will only receive critical updates such as this one.
Be advised that for Exchange 2013 and 2016, Security Updates are Cumulative Update level specific. While the downloaded security updates may carry the same name, the files are different and you cannot apply the downloaded security update file for Exchange 2016 CU8 to Exchange 2016 CU9. I suggest adding some form of identification of the Cumulative Update to the file name when you save it, e.g. Exchange2016-KB4092041-x64-en-CU9.msp.
As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.