Updated April 12th: Notice on KB4487563
Today, as part of patch Tuesday, supported Exchange versions received security updates to remediate the following issues:
- CVE-2019-0817: Microsoft Exchange Spoofing Vulnerability
- CVE-2019-0858: Microsoft Exchange Spoofing Vulnerability
Security updates are available for the following product levels, and fix the vulnerability mentioned:
|Exchange 2019 CU1||15.2.330.7||KB4487563||Download||Yes||Yes|
|Exchange 2016 CU12||15.1.1713.6||KB4487563||Download||Yes||Yes|
|Exchange 2016 CU11||15.1.1591.16||KB487563||Download||Yes||Yes|
|Exchange 2013 CU22||15.0.1473.4||KB487563||Download||Yes||Yes|
|Exchange 2010 SP3 RU27||14.3.452.0||KB4491413||Download||Yes||No|
- CVS-2019-0858 does not apply to Exchange 2010.
- Exchange 2010 is currently in Extended Support. Extended support for Exchange 2010 ends January 14, 2020.
- Don’t forget to put the Exchange server in maintenance mode prior to updating.
- If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
- The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing first, followed by non-internet-facing servers, and finally Edge Transports.
Notice on KB4487563:
Apart from the known issues mentioned in KB4487563, there are reports the fix terminates while stopping services, and the following error is being logged:
[Error] System.Management.Automation.CommandNotFoundException: The term ‘Stop-SetupService’ is not recognized as the name of a cmdlet, function, script file, or operable program.
This Stop-SetupService isn’t a regular cmdlet, and I assume is an alias created by the update. However, there are reports this operation fails. In those circumstances, next to retrying installation of the update, a workaround might be opening up a PowerShell session and adding the alias yourself using New-Alias Stop-SetupService Stop-Service, followed by running the update. The alias isn’t persistent, so will be gone after you close your session.
As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.