The Exchange PG released March updates for Exchange Server 2013, 2016 and 2019. More detailed information on patching and how to get current when running an earlier CU of Exchange, can be found at the original blog post here.
The vulnerabilities addressed in these security updates are:
|CVE-2022-23277||Remote Code Execution||Critical||CVSS:3.1 8.8 / 7.7|
|CVE-2022-24463||Spoofing||Important||CVSS:3.1 6.5 / 5.7|
These vulnerabilities are addressed in the following security updates below. The exception is KB5010324 which does not fix CVE-2022-24463 for Exchange 2013. If this is because of the severity classification or the problem being non-existent for Exchange 2013, has not been not disclosed.
|Exchange 2019 CU11||Download||15.2.986.22||KB5012698||KB5008631|
|Exchange 2019 CU10||Download||15.2.922.27||KB5012698||KB5008631|
|Exchange 2016 CU22||Download||15.1.2375.24||KB5012698||KB5008631|
|Exchange 2016 CU21||Download||15.1.2308.27||KB5012698||KB5008631|
|Exchange 2013 CU23||Download||15.0.1497.33||KB5010324||KB5008631|
Finally, KB5010324 also contains the following additional fix for Exchange 2013:
- 5012925 RFC certificate timestamp validation in Exchange Server 2013
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU11 to Exchange 2019 CU10. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.
As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.