Security Updates Exchange 2013-2019 (Nov2022)

The Exchange product group released November updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that were reported end of September. More on those in an earlier post.

Note: You can keep the current URLScan mitigations in-place, and remove them after installing these security updates at your convenience. The recommendation to disable Remote PowerShell for non-admins is upheld, but this is best practice regardless.

The vulnerabilities addressed in these Security Updates are:

CVE-2022-41040Elevation of PrivilegeCriticalCVSS:3.1 8.8 / 7.9
CVE-2022-41082Elevation of PrivilegeImportantCVSS:3.1 8.8 / 8.3
CVE-2022-41078Elevation of PrivilegeImportantCVSS:3.1 8.0 / 7.0
CVE-2022-41123Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2022-41079Elevation of PrivilegeImportantCVSS:3.1 8.0 / 7.0
CVE-2022-41080Elevation of PrivilegeCriticalCVSS:3.1 8.8 / 7.7

The following Security Updates address these vulnerability for the Exchange builds mentioned, with the exception of CVE-2022-41123 which does not apply to Exchange Server 2013:

Exchange 2019 CU12Download15.2.1118.20KB5019758KB5019077
Exchange 2019 CU11Download15.2.986.36KB5019758KB5019077
Exchange 2016 CU23Download15.1.2507.16KB5019758KB5019077
Exchange 2016 CU22Download15.1.2375.37KB5019758KB5019077
Exchange 2013 CU23Download15.0.1497.44KB5019758KB5019076

In case you missed it, per the Security Updates of August, you can enable Windows Extended Protection for increased protection against certain vulnerabilities. More information this process and its requirements can be found in the post on the August updates here.

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.