Security Updates Exchange 2013-2019 (Jan2023)

The Exchange product group released January updates for Exchange Server 2013, 2016 and 2019.

The vulnerabilities addressed in these Security Updates are:

VulnerabilityCategorySeverityRating
CVE-2023-21764Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2023-21763Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2023-21745SpoofingImportantCVSS:3.1 8.8 / 7.9
CVE-2023-21762SpoofingImportantCVSS:3.1 8.0 / 7.0
CVE-2023-21761Information DisclosureImportantCVSS:3.1 7.5 / 6.5

The Security Updates for each Exchange Server version are linked below. Note that only CVE-2023-21762 applies to Exchange Server 2013:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.21KB5022193KB5019758
Exchange 2019 CU11Download15.2.986.37KB5022193KB5019758
Exchange 2016 CU23Download15.1.2507.17KB5022143KB5019758
Exchange 2013 CU23Download15.0.1497.45KB5022188KB5019758

In case you are wondering why Exchange Server 2016 CU22 is not mentioned: CU22 went out of support, and only CU23 will continue to receive security updates. On another note, Exchange 2013 support will end in April, 2023, meaning it it will stop receiving security updates. Recommendation is to upgrade to a more recent version.

Payload Serialization Signing
Apart from fixing security issues, these SUs also introduce support for certificate-based signing of PowerShell serialization payloads. TLDR; it allows for signing data to identify possible tampering. More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. In order to verify or configure signing, a script has been published here, or check here if you prefer manual steps. Note that all your Exchange servers need to run this SU before you enable signing, as each Exchange server needs to understand the signing.

Other Issues
Apart from security fixes, these SUs also fix the following:

Issue Ex2013Ex2016Ex2019
Store Worker Process stops and returns “System.NullReferenceExceptions” multiple times per dayYesYes
Can’t record or play in Exchange Unified MessagingYesYes
Exchange Application log is flooded with Event ID 6010Yes

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing. If you are running Exchange 2019 Management Tools-only (for recipient management), you do not need to deploy this SU.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

2 thoughts on “Security Updates Exchange 2013-2019 (Jan2023)

  1. Wanted to let you know about a fun little gotcha I discovered when enabling the “PowerShell Serialization Payload Signing” after applying the “Security Update For Exchange Server 2016 CU23 SU5 (KB5022143)”… at least for Exchange 2016.

    After the patch was installed and the servers were all rebooted, I followed the instructions you linked to for enabling “PowerShell Serialization Payload Signing”.

    AFTERWARD… I discovered the Exchange Toolbox MMC (and the Exchange Queue Viewer MMC if you run it directly) fail to run, giving an exception error.

    In trying to troubleshoot it, I eventually stumbled on this, which allowed me to DISable the Serialization Payload Signing and regain use of the MMC:
    https://support.microsoft.com/en-us/topic/exchange-toolbox-and-queue-viewer-fails-after-certificate-signing-of-powershell-serialization-payload-is-enabled-7a1bff2d-614f-4fa0-bab1-ea6c25dae047

    Granted, their “Workaround 1” is to use the PS command versions, rather than the MMC. Which would work. If you’re comfortable with (or want to become so) then that may be fine. In my case, I have some less technical staff who would want to see the GUI if troubleshooting in an emergency. 😦 So I will wait in hopes of a patch.

    Hope it helps! 🙂

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.