[20Feb] Added information regarding issues reported.
The Exchange product group released February updates for Exchange Server 2013, 2016 and 2019.
The vulnerabilities addressed in these Security Updates are:
|CVE-2023-21529||Remote Code Execution||Important||CVSS:3.1 8.8 / 7.7|
|CVE-2023-21706||Remote Code Execution||Important||CVSS:3.1 8.8 / 7.7|
|CVE-2023-21707||Remote Code Execution||Important||CVSS:3.1 8.8 / 7.7|
|CVE-2023-21710||Remote Code Execution||Important||CVSS:3.1 7.2 / 6.3|
The Security Updates for each supported Exchange Server build are linked below:
|Exchange 2019 CU12||Download||15.2.1118.25||KB5023038||KB5022193|
|Exchange 2019 CU11||Download||15.2.986.41||KB5023038||KB5022193|
|Exchange 2016 CU23||Download||15.1.2507.21||KB5023038||KB5022143|
|Exchange 2013 CU23||Download||15.0.1497.47||KB5023038||KB5022188|
Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.
Apart from security fixes, these SUs also fix the following:
|Issue||Exchange 2013||Exchange 2016||Exchange 2019|
|Export-UMPrompt fails with InvalidResponseException||Yes||Yes||N/A|
|Edge Transport service returns an “EseNtOutOfSessions” Exception||Yes||Yes||Yes|
|Exchange services in automatic startup mode do not start automatically||Yes||Yes||Yes|
|Data source returns incorrect checkpoint depth||Yes||Yes||Yes|
|Serialization fails while tried accessing Mailbox Searches in ECP||Yes||Yes||Yes|
|Transport delivery service mishandles iCAL events||Yes||Yes||Yes|
- Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
- Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
- Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
- If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.
[20Feb] Shortly after release, people reported through the comments that EWS started having issues after deploying the security update. Symptoms reported were problems with (server side) searches, add-ins not loading, and calendar operations such as scheduling or sharing taking a long time to load. Since it’s EWS having problems, applications depending on this protocol also may stop to work, such as Teams.
Meanwhile, Microsoft acknowledged an issue with the initial publication, and published workaround. If experience issues and see the event 4999 in your Eventlog:
E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021.
follow the instructions in the following KB article link:
- On each Exchange server, create a registry key
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics -Name 'DisableBaseTypeCheckForDeserialization' -Value 1 -Type String
- Create a global override setting
New-SettingOverride -Name 'Adding learning location ClientExtensionCollectionFormatter' -Component Data -Section DeserializationBinderSettings -Parameters @('LearningLocations=ClientExtensionCollectionFormatter') -Reason 'Deserialization failed'
- If you cannot wait until the override configuration kicks in (may take an one hour), refresh it manually:
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
- Restart IIS and the Windows Activation Proces on each server
Restart-Service -Name W3SVC, WAS -Force
Be advised that event 4999 might still show up in your Eventlog, and it has been reported that this might not completely does away with the issues reported. Keep an eye on the original post and EHLO blog for any future updates.
Hi Michel, looks like guidance regarding installation of SUs on servers or workstations running Exchange Management Tools only have changed:
Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install Security Updates on all Exchange Servers as well as servers or workstations running Exchange Management Tools only, which will ensure that there is no incompatibility between management tools clients and servers.
Source: FAQ Section from https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february-2023-exchange-server-security-updates/ba-p/3741058/page/2#comments
Thanks for the heads-up. Clarified statement, originally meant managing recipients through the remaining module after removing the last Exchange server.