A quick blog on recently published security updates for Exchange Server 2013 up to Exchange Server 2019. These fixes address the following vulnerabilities:
- CVE-2019-1373: Microsoft Exchange Remote Code Execution Vulnerability
The CVE documents contain more details on the vulnerabilities. The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.
|Exchange 2019 CU3||Download||15.2.464.7||KB4523171||KB4515832|
|Exchange 2019 CU2||Download||15.2.397.9||KB4523171||KB4515832|
|Exchange 2016 CU14||Download||15.1.1847.5||KB4523171||KB4515832|
|Exchange 2016 CU13||Download||15.1.1779.7||KB4523171||KB4515832|
|Exchange 2013 CU23||Download||15.0.1497.4||KB4523171||KB4509409|
Be advised that the Security Updates for Exchange 2013-2019 are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CUs, and you cannot apply the update for Exchange 2016 CU14 to Exchange 2016 CU13. I would suggest tagging the Cumulative Update in the file name when you store it, e.g. Exchange2016-CU14-KB4523171-x64-en.msp.
As with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.