The Exchange product group released January updates for Exchange Server 2013, 2016 and 2019.
The vulnerabilities addressed in these Security Updates are:
|CVE-2023-21764||Elevation of Privilege||Important||CVSS:3.1 7.8 / 6.8|
|CVE-2023-21763||Elevation of Privilege||Important||CVSS:3.1 7.8 / 6.8|
|CVE-2023-21745||Spoofing||Important||CVSS:3.1 8.8 / 7.9|
|CVE-2023-21762||Spoofing||Important||CVSS:3.1 8.0 / 7.0|
|CVE-2023-21761||Information Disclosure||Important||CVSS:3.1 7.5 / 6.5|
The Security Updates for each Exchange Server version are linked below. Note that only CVE-2023-21762 applies to Exchange Server 2013:
|Exchange 2019 CU12||Download||15.2.1118.21||KB5022193||KB5019758|
|Exchange 2019 CU11||Download||15.2.986.37||KB5022193||KB5019758|
|Exchange 2016 CU23||Download||15.1.2507.17||KB5022143||KB5019758|
|Exchange 2013 CU23||Download||15.0.1497.45||KB5022188||KB5019758|
In case you are wondering why Exchange Server 2016 CU22 is not mentioned: CU22 went out of support, and only CU23 will continue to receive security updates. On another note, Exchange 2013 support will end in April, 2023, meaning it it will stop receiving security updates. Recommendation is to upgrade to a more recent version.
Payload Serialization Signing
Apart from fixing security issues, these SUs also introduce support for certificate-based signing of PowerShell serialization payloads. TLDR; it allows for signing data to identify possible tampering. More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. In order to verify or configure signing, a script has been published here, or check here if you prefer manual steps. Note that all your Exchange servers need to run this SU before you enable signing, as each Exchange server needs to understand the signing.
Apart from security fixes, these SUs also fix the following:
|Store Worker Process stops and returns “System.NullReferenceExceptions” multiple times per day||Yes||Yes|
|Can’t record or play in Exchange Unified Messaging||Yes||Yes|
|Exchange Application log is flooded with Event ID 6010||Yes|
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing. If you are running Exchange 2019 Management Tools-only (for recipient management), you do not need to deploy this SU.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.