Security Updates Exchange 2013-2019 (Jul2021)

Update July 20th: Added VC++2012 requirement to tip on running MT to prepare Exchange 2013 schema separately.

Another month, another Patch Tuesday! A quick blog on the July’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

VulnerabilityCategorySeverityRating
CVE-2021-31196Remote Code Execution ImportantCVSS:3.0 7.2 / 6.3
CVE-2021-34470Elevation of PrivilegeImportantCVSS:3.0 8.0 / 7.0
CVE-2021-33768Elevation of PrivilegeImportantCVSS:3.0 8.0 / 7.0
CVE-2021-31206Remote Code ExecutionImportantCVSS:3.0 7.6 / 7.1

Note:

  • When looking at the MSRC information, you will notice 3 additional CVE issues addressed for July 13th. However, as far as I can see CVE-2021-34473, CVE-2021-34523 and CVE-2021-33766 were addressed in the April 2021 and eventually the May 2021 Security Updates, which also would explain MSRC’s mention of earlier CUs, such as Exchange 2019 CU8.
  • CVE-2021-31206 was the vulnerability discovered at the Pwn2Own 2021 contest.

Vulnerabilities mentioned in the table above are addressed in the following security updates:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU10Download15.2.922.13KB5004780
Exchange 2019 CU9Download15.2.858.15KB5004780
Exchange 2016 CU21Download15.1.2308.14KB5004779
Exchange 2016 CU20Download15.1.2242.12KB5004779
Exchange 2013 CU23Download15.0.1497.23KB5004778

Notes:

  • CVE-2021-33768 does not seem applicable to Exchange 2019 CU9 or Exchange 2016 CU20.
  • CVE-2021-34470 is only addressed in the security update for Exchange 2013 CU23.

More detailed information can be found at the original blog post here, which mentions some specific post-deployment instructions:

  • When running n-1 CU of Exchange 2019 (CU9) or Exchange 2016 (CU20), and you do not plan to upgrade to the latest CU yet but do wish to install this Security Update, you must also update the AD Schema using the CU10 or CU21 installation files.
  • When you are running Exchange 2013 CU23 in your organization, and no later Exchange builds are present, you need to deploy a schema update immediately after deploying the Security Update. After deploying the SU, from an elevated CMD prompt, run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms from Exchange’s bin folder. You you need to separate the update from deploying the update, see end of article for a tip.

The blog also mentions some issues, which are identical to the ones mentioned with the May 2021 Security Updates:

  • Accounts ending in ‘$’ cannot use EMS or access the ECP.
  • Cross-forest Free/Busy might stop working resulting in 400 Bad Request (solution).
  • Running cmdlets against EMC using invoked runspace might result in no-language mode error (info).

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KBXXXXXX-x64-en.msp.

On another note, after deploying the security updates Exchange will start reporting its version number in the HTTP response header.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

OWA/ECP and HMAC errors
There are reports of the Security Update breaking OWA/ECP. Symptoms are browsers displaying an HMAC error:

Server Error in '/owa' Application.

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
    
Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

It is likely related to “Microsoft Exchange Server Auth Certificate”, which can be expired, invalid or for other reasons not being picked up. The reported solution is renewing the “Microsoft Exchange Server Auth Certificate”. This procedure can be found here. Do note that it may take an hour for the certificate to become effective. Meanwhile, you can check the comments in the original Exchange Team post, which is lively with feedback and responses.

Exchange 2013 CU23 SU & Schema Updating
Because with Exchange 2013 CU23 schema preparation needs to occur immediately after deploying the SU on (the first) Exchange 2013 CU23 server, a tip might be that you could deploy Exchange 2013 CU23 Management Tools on a workstation, install the SU on that workstation, then run the PrepareSchema from there before deploying the SU on any Exchange 2013 CU23 server.

This might also be helpful in multi-domain organizations, or organizations where AD and Exchange are managed by different teams or require separate changes. Note that performing the schema update this way requires Visual C++ 2012 Runtime, otherwise you will run into a “Exchange Server setup didn’t complete the operation” and the ExchangeSetup.log will contain “Could not load file or assembly ‘Microsoft.Exchange.CabUtility.dll”.

Exchange Updates – March 2021

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016. Be advised that both of these CUs include the March security update KB5000871. AExchange 2016 will receive its final CU in March, 2021.

Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU915.2.858.2KB4602570Download NY
Exchange 2016 CU2015.1.2242.4KB4602569DownloadUMLPNY

Exchange 2019 CU9 fixes:

  • 5001181 Certain search scenario can’t return expected result in Outlook online mode in Exchange Server 2019
  • 5001182 Can’t use keyword “TMM” in a special pattern to search email in Exchange Server 2019
  • 5001183 Attachment is treated as bad zip file on Edge Transport server in Exchange Server 2019 and 2016
  • 5001184 EAC has no option to select the correct tenant for an Office 365 mailbox in Exchange Server 2019 and 2016
  • 5001185 EAC has no option to select an archive domain for cloud-based archive in Exchange Server 2019 and 2016
  • 5001186 Encoding of special characters isn’t preserved which causes missing text in Outlook in Exchange Server 2019 and 2016
  • 5001188 Incorrect MRM properties stamped on mail item delivery when sending to multiple mailboxes on the same database in Exchange Server 2019 and 2016
  • 5001189 Mailbox Audit log searches and Outlook both tied to MaxHitsForFullTextIndexSearches in Exchange Server 2019 and 2016
  • 5001190 MonitoringGroup can’t control the placement of CAS monitoring mailboxes in Exchange Server 2019 and 2016
  • 5001192 Microsoft Teams fails to show calendar because Autodiscover v2 isn’t site-aware in Exchange Server 2019 and 2016
  • 5001193 New health mailboxes for databases are created every time Exchange Health Manager service is restarted
  • 5001194 RFC certificate timestamp validation in Exchange Server 2019 and 2016
  • 5001195 UPN specified when creating mailbox is overwritten automatically causing login failures in Exchange Server 2019 and 2016
  • 5000631 Event IDs 1003, 1309 and 4999 are logged after installing Exchange Server 2019 CU8
  • 4583558 PDF preview function in OWA leads to download action unexpectedly

Exchange 2016 CU20 fixes:

  • 5001183 Attachment is treated as bad zip file on Edge Transport server in Exchange Server 2019 and 2016
  • 5001184 EAC has no option to select the correct tenant for an Office 365 mailbox in Exchange Server 2019 and 2016
  • 5001185 EAC has no option to select an archive domain for cloud-based archive in Exchange Server 2019 and 2016
  • 5001186 Encoding of special characters isn’t preserved which causes missing text in Outlook in Exchange Server 2019 and 2016
  • 5001188 Incorrect MRM properties stamped on mail item delivery when sending to multiple mailboxes on the same database in Exchange Server 2019 and 2016
  • 5001189 Mailbox Audit log searches and Outlook both tied to MaxHitsForFullTextIndexSearches in Exchange Server 2019 and 2016
  • 5001190 MonitoringGroup can’t control the placement of CAS monitoring mailboxes in Exchange Server 2019 and 2016
  • 5001192 Microsoft Teams fails to show calendar due to Autodiscover v2 isn’t site aware in Exchange Server 2019 and 2016
  • 5001193 New health mailboxes for databases are created every time Exchange Health Manager service is restarted
  • 5001194 RFC certificate timestamp validation in Exchange Server 2019 and 2016
  • 5001195 UPN specified when creating mailbox is overwritten automatically causing login failures in Exchange Server 2019 and 2016
  • 4583558 PDF preview function in OWA leads to download action unexpectedly

Notes:

  • If these Cumulative Updates contain schema changes compared to the Cumulative Update you have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for object version numbers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange Updates – March 2018

Ex2013 LogoThe Exchange Team released the March updates for Exchange Server 2013 and 2016, and these Cumulative Updates contain a ton of fixes. Like the earlier Cumulative Updates for Exchange 2013 and Exchange 2016, and in addition to the fixes – see below – these Cumulative Updates contain the following important changes:

  • Support for .NET Framework 4.7.1. Be advised that .NET Framework 4.7.1 will be required for the next cycle of quarterly updates, which will be released in June 2018.
  • Full support for TLS 1.2. More information and guidance here.

On a smaller note, Exchange 2010 Service Pack 3 Rollup 20 was also released, which contains two security fixes CVE-2018-0924 and CVE-2018-0940, as well as DST changes.

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU9 15.1.1466.3 KB4055222 Download UMLP No
Exchange 2013 CU20 15.0.1367.3 KB4055221 Download UMLP No
Exchange 2010 SP3 RU20 14.3.389.1 KB4073537 Download

Exchange 2016 CU9 fixes:

  • 4054513 Mailbox usage status bar in OWA displays incorrect mailbox usage
  • 4055433 User is added to an entire series when accepting a single instance through Exchange ActiveSync
  • 4057216 Health mailbox’s password is exposed in logs for a failed probe in Exchange Server 2016 and 2013
  • 4058373 “A parameter cannot be found” error when you run Install-AntiSpamAgents.ps1 in Exchange Server 2016 CU7
  • 4058379 All cross-forest meeting updates have to be accepted again in Exchange Server 2016 and 2013
  • 4058383 Exchange Control Panel (ECP) redirection fails in Exchange Server 2016
  • 4058384 Get-CalendarDiagnosticAnalysis shows DateTime in 12-hour clock in Exchange Server 2016 and 2013
  • 4058399 Disabling a mailbox can’t remove legacyExchangeDN from user’s properties in Exchange Server 2016
  • 4073094 Emails outside a UID range are returned when you request for emails by using IMAP
  • 4073095 “550 5.6.0 CAT.InvalidContent.Exception” and email isn’t delivered in Exchange Server 2016 and 2013
  • 4073104 PIN can be reset on a Unified Messaging (UM)-enabled mailbox for a user outside a scoped OU
  • 4073103 The Enable-Mailbox cmdlet doesn’t block migrated users from provisioning in Exchange Server 2016
  • 4073107 Language can’t be changed when a user from a child domain tries to change language in OWA
  • 4073111 Can’t access a CAS website such as OWA/ECP/Autodiscover in Exchange Server 2016
  • 4073110 You can’t access OWA or ECP after you install Exchange Server 2016 CU8
  • 4073109 Search-MailboxAuditLog -ShowDetails not showing all messages in Exchange Server 2016
  • 4073114 “ADOperationException” error when OWA text verification fails in Exchange Server 2016
  • 4073214 Can’t enable OWA offline access in Exchange Server 2016
  • 4073531 CultureNotFoundException when selecting a LCID 4096 language in OWA for Exchange Server 2016
  • 4076520 MatchSubdomains isn’t usable for Set-AcceptedDomain in Exchange Server 2016
  • 4076741 Incorrect NDR when an administrator deletes a message from a queue in Exchange Server 2016
  • 4077655 Event ID 258 “Unable to determine the installed file” after you uninstall Windows PowerShell 2.0
  • 4057290 Incorrect user is returned in the ECP when one user’s display name matches another user’s alias
  • 4058372 Blank page in Exchange Admin Center Audit Log in Exchange Server 2016
  • 4058382 Can’t retrieve time slot information about private calendar items as a delegate on another user’s account in Exchange Server 2016
  • 4058401 Administrator audit logging does not record Set-ServerComponentState cmdlet details in Exchange Server 2013 or 2016 environment
  • 4073097 Monitoring probes of ECP.Proxy health checks fail on all CAS roles in Exchange Server 2013 and 2016
  • 4073098 The ETS and EXS groups are incorrectly granted “SeDebugPrivilege” in Exchange Server 2016 on-premises
  • 4073108 “There was a problem loading your options” error when a user accesses OWA Voice Mail options in Exchange Server 2016
  • 4077924 Store Worker process crashes when you move, restore, or repair mailboxes that have issues with the logical index within the database in Exchange Server 2016
  • 4091453 Update improves linguistics features and CJK handling for search in Exchange Server 2016
  • 4073392 Description of the security update for Microsoft Exchange: March 13, 2018

Exchange 2013 CU20 fixes:

  • 4073392 Description of the security update for Microsoft Exchange: March 13, 2018
  • 4073094 Emails outside a UID range are returned when you request for emails by using IMAP
  • 4073097 Monitoring probes of ECP.Proxy health checks fail on all CAS roles in Exchange Server 2013 and 2016
  • 4057216 Health mailbox’s password is exposed in logs for a failed probe in Exchange Server 2016 and 2013
  • 4058384 Get-CalendarDiagnosticAnalysis shows DateTime in 12-hour clock in Exchange Server 2016 and 2013
  • 4057290 Incorrect user is returned in the ECP when one user’s display name matches another user’s alias
  • 4055433 User is added to an entire series when accepting a single instance through Exchange ActiveSync
  • 4058401 Administrator audit logging does not record Set-ServerComponentState cmdlet details in Exchange Server 2013 or 2016 environment
  • 4073095 “550 5.6.0 CAT.InvalidContent.Exception” and email isn’t delivered in Exchange Server 2016 and 2013
  • 4058379 All cross-forest meeting updates have to be accepted again in Exchange Server 2016 and 2013
  • 4073093 Save issues occur when you use the plain Text Editor in OWA of Exchange Server 2013
  • 4073096 Emails sent from a shared mailbox aren’t saved in Sent Items when MessageCopyForSentAsEnabled is True

Notes:

  • Exchange 2016 CU7 and later requires Forest Functionality Level 2008R2 or later.
  • Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they may introduce RBAC changes in your environment. Use setup /PrepareSchema to manually update the schema, or use /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To see if you need to update the schema compared to your version or verify the update has been performed, consult the Exchange schema overview.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.