Another year, another Patch Tuesday! A quick blog on January 2022’s security updates for Exchange Server 2013 up to 2019.
The vulnerabilities addressed in these security updates are:
|CVE-2022-21969||Remote Code Execution||Important||CVSS:3.1 9.0 / 7.8|
|CVE-2022-21855||Remote Code Execution||Important||CVSS:3.1 9.0 / 7.8|
|CVE-2022-21846||Remote Code Execution||Critical||CVSS:3.0 9.0 / 7.8|
Vulnerabilities mentioned in the table above are addressed in the following security updates.
|Exchange 2019 CU11||Download||15.2.986.15||KB5008631||KB5007409|
|Exchange 2019 CU10||Download||15.2.922.20||KB5008631||KB5007409|
|Exchange 2016 CU22||Download||15.1.2375.18||KB5008631||KB5007409|
|Exchange 2016 CU21||Download||15.1.2308.21||KB5008631||KB5007409|
|Exchange 2013 CU23||Download||15.0.1497.28||KB5008631||KB5007409|
More detailed information can be found at the original blog post here. The security update also fixes the OWA redirection problem for Exchange hybrid deployments introduced with the November security updates.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU11 to Exchange 2019 CU10. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.
As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.