The Exchange product group released January updates for Exchange Server 2013, 2016 and 2019.
The vulnerabilities addressed in these Security Updates are:
| Vulnerability | Category | Severity | Rating |
|---|---|---|---|
| CVE-2023-21764 | Elevation of Privilege | Important | CVSS:3.1 7.8 / 6.8 |
| CVE-2023-21763 | Elevation of Privilege | Important | CVSS:3.1 7.8 / 6.8 |
| CVE-2023-21745 | Spoofing | Important | CVSS:3.1 8.8 / 7.9 |
| CVE-2023-21762 | Spoofing | Important | CVSS:3.1 8.0 / 7.0 |
| CVE-2023-21761 | Information Disclosure | Important | CVSS:3.1 7.5 / 6.5 |
The Security Updates for each Exchange Server version are linked below. Note that only CVE-2023-21762 applies to Exchange Server 2013:
| Exchange | Download | Build | KB | Supersedes |
|---|---|---|---|---|
| Exchange 2019 CU12 | Download | 15.2.1118.21 | KB5022193 | KB5019758 |
| Exchange 2019 CU11 | Download | 15.2.986.37 | KB5022193 | KB5019758 |
| Exchange 2016 CU23 | Download | 15.1.2507.17 | KB5022143 | KB5019758 |
| Exchange 2013 CU23 | Download | 15.0.1497.45 | KB5022188 | KB5019758 |
In case you are wondering why Exchange Server 2016 CU22 is not mentioned: CU22 went out of support, and only CU23 will continue to receive security updates. On another note, Exchange 2013 support will end in April, 2023, meaning it it will stop receiving security updates. Recommendation is to upgrade to a more recent version.
Payload Serialization Signing
Apart from fixing security issues, these SUs also introduce support for certificate-based signing of PowerShell serialization payloads. TLDR; it allows for signing data to identify possible tampering. More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. In order to verify or configure signing, a script has been published here, or check here if you prefer manual steps. Note that all your Exchange servers need to run this SU before you enable signing, as each Exchange server needs to understand the signing.
Other Issues
Apart from security fixes, these SUs also fix the following:
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing. If you are running Exchange 2019 Management Tools-only (for recipient management), you do not need to deploy this SU.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.
EighTwOne (821) 
Wanted to let you know about a fun little gotcha I discovered when enabling the “PowerShell Serialization Payload Signing” after applying the “Security Update For Exchange Server 2016 CU23 SU5 (KB5022143)”… at least for Exchange 2016.
After the patch was installed and the servers were all rebooted, I followed the instructions you linked to for enabling “PowerShell Serialization Payload Signing”.
AFTERWARD… I discovered the Exchange Toolbox MMC (and the Exchange Queue Viewer MMC if you run it directly) fail to run, giving an exception error.
In trying to troubleshoot it, I eventually stumbled on this, which allowed me to DISable the Serialization Payload Signing and regain use of the MMC:
https://support.microsoft.com/en-us/topic/exchange-toolbox-and-queue-viewer-fails-after-certificate-signing-of-powershell-serialization-payload-is-enabled-7a1bff2d-614f-4fa0-bab1-ea6c25dae047
Granted, their “Workaround 1” is to use the PS command versions, rather than the MMC. Which would work. If you’re comfortable with (or want to become so) then that may be fine. In my case, I have some less technical staff who would want to see the GUI if troubleshooting in an emergency. 😦 So I will wait in hopes of a patch.
Hope it helps! 🙂
LikeLike
These periods of transition always come with rough edges. Glad you found a solution for your inconvenience, and the article you linked to may save others few minutes of searching.
LikeLike