Update 14jan: Added Exchange 2010 SP3 RU25
A quick heads-up as during my vacation Microsoft released security updates for supported releases of Exchange Server 2013, 2016 as well as Exchange Server 2019. In addition, a new Rollup was released for Exchange 2010 as well, containing one of the security updates.
The security updates patch issues as reported in the following Microsoft Common Vulnerabilities and Exposures:
- CVE-2019-0586: Microsoft Exchange Memory Corruption Vulnerability
- CVE-2019-0588: Microsoft Exchange Information Disclosure Vulnerability
You can download the security updates here:
- Security Update For Exchange Server 2013 CU21 (v15.0.1395.10, KB4471389)
- Security Update For Exchange Server 2016 CU10 (v15.1.1531.10, KB4471389)
- Security Update For Exchange Server 2016 CU11 (v15.1.1591.13, KB4471389)
- Security Update For Exchange Server 2019 (v18.104.22.168, KB4471389)
- Exchange Server 2010 SP3 Rollup 25 (v14.3.435.0, KB4468742)
- Exchange 2010 SP3 RU25 addresses CVE-2019-0588 only.
- KB4471389 supersedes KB4468741 and KB4459266; KB4468742 supersedes KB4458321.
Be advised that the Security Updates for Exchange 2013 and 2016 are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CU’s, and you cannot apply the update for Exchange 2016 CU10 to Exchange 2016 CU11. I would suggest tagging the Cumulative Update in the file name when you archive it, e.g. Exchange2016-KB4471389-x64-en-CU10.msp.
As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.