Welcome to another Patch Tuesday! A quick blog on October’s security updates for Exchange Server 2013 up to 2019.
The vulnerabilities addressed in these security updates are:
| Vulnerability | Category | Severity | Rating |
|---|---|---|---|
| CVE-2021-26427 | Remote Code Execution | Important | CVSS:3.0 9.0 / 7.8 |
| CVE-2021-41350 | Spoofing | Important | CVSS:3.0 6.5 / 5.7 |
| CVE-2021-41348 | Elevation of Privilege | Important | CVSS:3.0 8.0 / 7.0 |
| CVE-2021-34453 | Denial of Service | Important | CVSS:3.0 7.5 / 6.5 |
Vulnerabilities mentioned in the table above are addressed in the following security updates. Exception is Exchange 2013 CU23 which seemingly only gets fixed for CVE-2021-26427; it is unclear if that is because of Exchange 2013’s lifecycle phase or because the problem does not exist in those builds.
| Exchange | Download | Build | KB | Supersedes |
|---|---|---|---|---|
| Exchange 2019 CU11 | Download | 15.2.986.9 | KB5007012 | |
| Exchange 2019 CU10 | Download | 15.2.922.14 | KB5007012 | |
| Exchange 2016 CU22 | Download | 15.1.2375.12 | KB5007012 | |
| Exchange 2016 CU21 | Download | 15.1.2308.15 | KB5007012 | |
| Exchange 2013 CU23 | Download | 15.0.1497.24 | KB5007011 |
More detailed information can be found at the original blog post here. Check the KB articles for any known release notes, such as the possible cross-forest Free/Busy issue and HTTP headers containing version information.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU11 to Exchange 2019 CU10. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.
As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.
EighTwOne (821) 