Security Updates Exchange 2016-2019 (Jun2023)

Posted on by

The Exchange product group released June updates for Exchange Server 2016 and 2019.

Note: Missing Exchange 2013? Its support ended April, 2023. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-32031Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-28310Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.16KB5026261KB5024296
Exchange 2019 CU12Download15.2.1118.30KB5026261KB5024296
Exchange 2016 CU23Download15.1.2507.27KB5025903KB5024296

Other Issues
Apart from security fixes, these SU’s also fix the following:

FixExchange 2016Exchange 2019
“Object ‘<ServerName>’ couldn’t be found on ‘<DomainControllerName>'” error when trying to uninstall Exchange ServerYesYes
Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled: The modified Permissions cannot be changed.YesYes

Notes:

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
  • Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

This entry was posted in Exchange Server and tagged , , , , , by Michel de Rooij. Bookmark the permalink.
Unknown's avatar

About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

Leave a comment