Security Updates Exchange 2016-2019 (Oct2023)

Posted on by

The Exchange product group released October updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-36726Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2023-36780Remote Code ExecutionImportantCVSS:3.1 7.2 / 6.3
CVE-2023-36778Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.27KB5030877KB5030524
Exchange 2019 CU12Download15.2.1118.39KB5030877KB5030524
Exchange 2016 CU23Download15.1.2507.34KB5030877KB5030524

TokenCacheModule

The recommendation for the August updates was to disable the TokenCacheModule in IIS to mitigate an Elevation of Privilege issue in IIS. That issue is fixed with a Windows update for CVE-2023-36434. Thus, after installing this update for IIS, it is no longer recommended to disable TokenCacheModule. When you have disabled it after installing the August 2023 updates, you can enable it again using New-WebGlobalModule -Name "TokenCacheModule" -Image "%windir%\System32\inetsrv\cachtokn.dll", or use the CVE-2023-21709.ps1 script specifying the -Rollback switch to (re-)enable it on all of your Exchange servers.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing August 2023 SUYesYes
Details Templates Editor fails and returns BlockedDeserializeTypeExceptionYesYes
Extended Protection causes Outlook for Mac to fail to download the OAB (use updated Extended Protection script)YesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

This entry was posted in Exchange Server and tagged , , , , , by Michel de Rooij. Bookmark the permalink.
Unknown's avatar

About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

1 thought on “Security Updates Exchange 2016-2019 (Oct2023)

Leave a comment