The Exchange product group released March updates for Exchange Server 2013, 2016 and 2019. Be advised that the Exchange team also put out a notice for fixed vulnerability in Outlook (CVE-2023-23397), together with a supporting script to analyze mailboxes for this possible exploit (link), which is rather uncommon.
The vulnerability addressed in these Security Updates for Exchange Server is:
| Vulnerability | Category | Severity | Rating |
|---|---|---|---|
| CVE-2022-21978 | Remote Code Execution | Important | CVSS:3.1 8.8 / 7.7 |
The Security Updates for each supported Exchange Server build are linked below:
| Exchange | Download | Build | KB | Supersedes |
|---|---|---|---|---|
| Exchange 2019 CU12 | Download | 15.2.1118.26 | KB5024296 | KB5023038 |
| Exchange 2019 CU11 | Download | 15.2.986.42 | KB5024296 | KB5023038 |
| Exchange 2016 CU23 | Download | 15.1.2507.23 | KB5024296 | KB5023038 |
| Exchange 2013 CU23 | Download | 15.0.1497.48 | KB5024296 | KB5023038 |
Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.
Other Issues
Apart from security fixes, these SUs also fix the following:
| Issue | Exchange 2013 | Exchange 2016 | Exchange 2019 |
| You can’t access Toolbox on Exchange after enabling EnableSerializationDataSigning | Yes | Yes | Yes |
| EEMS stops responding after TLS endpoint certificate update | Yes | Yes | Yes |
| Get-App and GetAppManifests fail and return an exception | Yes | Yes | Yes |
| EWS does not respond and returns an exception | Yes | Yes | Yes |
| An exception is returned while opening a template in the Exchange Toolbox | Yes | Yes | Yes |
Notes:
- Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
- Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
- Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
- If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.
EighTwOne (821) 