The Exchange PG released May updates for Exchange Server 2013, 2016 and 2019.
Note that per this cycle, Security Updates will be packaged in an executable wrapper. This should trigger the running elevated prompt, thus preventing any potential issues from simply double-clicking the .MSP file. More about the new package format, options for logging and command-line switches are mentioned in an article dedicated to the change of distribution method here.
The vulnerability addressed in the Security Updates for May is:
|CVE-2022-21978||Elevation of Privilege||Important||CVSS:3.1 8.2 / 7.1|
The following Security Updates address this vulnerability:
|Exchange 2019 CU12||Download||15.2.1118.9||KB5014261|
|Exchange 2019 CU11||Download||15.2.986.26||KB5014261|
|Exchange 2016 CU23||Download||15.1.2507.9||KB5014261|
|Exchange 2016 CU22||Download||15.1.2375.28||KB5014261|
|Exchange 2013 CU23||Download||15.0.1497.36||KB5014260|
The SU also fix the following issue:
- KB5013118 Exchange Service Host service fails after installing March 2022 security update
Important: As mentioned in the announcement, you must run /PrepareAllDomains after deploying the SU because of hardening measures. Exception is when you have multiple domains and some of them are never prepped; in that case prepare the individual domains required. Using your currently deployed binaries, run the following command, where the /IAccept switch you need to use depends on the Exchange version deployed and whether you provide diagnostics information:
& $exbin\setup.exe /PrepareAllDomains /[IAcceptExchangeServerLicenseTerms|IAcceptExchangeServerLicenseTerms_DiagnosticDataON|IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF]
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.
Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.