The Exchange product group released October updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates do NOT address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that have been reported on since end of September. For now, mitigate those by follow the instructions mentioned an earlier post here.
The vulnerabilities addressed in these Security Updates are mostly the same as the ones addressed by the Security Updates of August, with the exception of CVE-2022-34692. Also, the CVSS rating of CVE-2022-30134 has been adjusted:
|CVE-2022-21979||Information Disclosure||Important||CVSS:3.1 4.8 / 4.2|
|CVE-2022-21980||Elevation of Privilege||Critical||CVSS:3.1 8.0 / 7.0|
|CVE-2022-24477||Elevation of Privilege||Critical||CVSS:3.1 8.0 / 7.0|
|CVE-2022-24516||Elevation of Privilege||Critical||CVSS:3.1 8.0 / 7.0|
|CVE-2022-30134||Elevation of Privilege||Important||CVSS:3.1 6.5 / 5.7|
(was CVSS:3.1 7.6 / 6.6)
The following Security Updates address these vulnerability for the Exchange builds mentioned:
|Exchange 2019 CU12||Download||15.2.1118.15||KB5019077||KB5015322|
|Exchange 2019 CU11||Download||15.2.986.30||KB5019077||KB5015322|
|Exchange 2016 CU23||Download||15.1.2507.13||KB5019077||KB5015322|
|Exchange 2016 CU22||Download||15.1.2375.32||KB5019077||KB5015322|
|Exchange 2013 CU23||Download||15.0.1497.42||KB5019076||KB5015321|
In case you missed it, per the Security Updates of August, you can enable Windows Extended Protection for increased protection against certain vulnerabilities. More information this process and its requirements can be found in the post on the August updates here.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.
First link goes to august updates, this is the correct one:
“Note that these Security Updates do NOT address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that have been reported on since end of September. For now, mitigate those by follow the instructions mentioned an earlier post here.”
When I installed the 10/22/2022 patches, they added the URL Rewrite filter described in the post.
They did, or were deployed by EEMS?
thank you for the info. I’m going to update our on premise Exchange next night.