A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released November 10th. These fixes address the following vulnerability:
- CVE-2020-17085: Microsoft Exchange Server Denial of Service Vulnerability
- CVE-2020-17084: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2020-17083: Microsoft Exchange Server Remote Code Execution Vulnerability
The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.
|Exchange 2019 CU7||Download||15.2.721.4||KB4588741||KB4581424|
|Exchange 2019 CU6||Download||15.2.659.8||KB4588741||KB4581424|
|Exchange 2016 CU18||Download||15.1.2106.4||KB4588741||KB4581424|
|Exchange 2016 CU17||Download||15.1.2044.8||KB4588741||KB4581424|
|Exchange 2013 CU23||Download||15.0.1497.8||KB4588741||KB4581424|
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.