Security Updates Exchange 2016-2019 (Nov2023)

Posted on by

The Exchange product group released November updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-36439Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36050Spoofing ImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36039Spoofing ImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36035SpoofingImportantCVSS:3.1 8.0 / 7.0

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.28KB5032146KB5030877
Exchange 2019 CU12Download15.2.1118.40KB5032146KB5030877
Exchange 2016 CU23Download15.1.2507.35KB5032147KB5030877

Payload Serialization Signing

Be advised that these updates will enable payload signing by default. Payload serialization signing signs PowerShell payloads to identify possible tampering. Support for certificate-based signing of PowerShell serialization payloads got added with January security updates and is a per-server configuration. In other words, make sure you have deployed the January security updates before implementing these security updates, so your Exchange servers support payload signing before you can enable it one server at a time.

More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. To verify or configure signing, use the script published here or follow the manual steps. Signing leverages the organization-wide available Exchange Auth Certificate, which needs to be present and valid; the MonitorExchangeAuthCertificate.ps1 script can help you verify this.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
Signing of the serialisation payload fails to run the few cmdletsYesYes
Unable to migrate mailbox as communication error parameter exception occursYesYes
InvalidResponseException when you try to run Export-UMPromptYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

This entry was posted in Exchange Server and tagged , , , , , by Michel de Rooij. Bookmark the permalink.
Unknown's avatar

About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

Leave a comment