The Exchange product group released October updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates do NOT address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that have been reported on since end of September. For now, mitigate those by follow the instructions mentioned an earlier post here.
The vulnerabilities addressed in these Security Updates are mostly the same as the ones addressed by the Security Updates of August, with the exception of CVE-2022-34692. Also, the CVSS rating of CVE-2022-30134 has been adjusted:
|CVE-2022-21979||Information Disclosure||Important||CVSS:3.1 4.8 / 4.2|
|CVE-2022-21980||Elevation of Privilege||Critical||CVSS:3.1 8.0 / 7.0|
|CVE-2022-24477||Elevation of Privilege||Critical||CVSS:3.1 8.0 / 7.0|
|CVE-2022-24516||Elevation of Privilege||Critical||CVSS:3.1 8.0 / 7.0|
|CVE-2022-30134||Elevation of Privilege||Important||CVSS:3.1 6.5 / 5.7|
(was CVSS:3.1 7.6 / 6.6)
The following Security Updates address these vulnerability for the Exchange builds mentioned:
|Exchange 2019 CU12||Download||15.2.1118.15||KB5019077||KB5015322|
|Exchange 2019 CU11||Download||15.2.986.30||KB5019077||KB5015322|
|Exchange 2016 CU23||Download||15.1.2507.13||KB5019077||KB5015322|
|Exchange 2016 CU22||Download||15.1.2375.32||KB5019077||KB5015322|
|Exchange 2013 CU23||Download||15.0.1497.42||KB5019076||KB5015321|
In case you missed it, per the Security Updates of August, you can enable Windows Extended Protection for increased protection against certain vulnerabilities. More information this process and its requirements can be found in the post on the August updates here.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.