Security Updates Exchange 2013-2019 (Oct2021)

Welcome to another Patch Tuesday! A quick blog on October’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

VulnerabilityCategorySeverityRating
CVE-2021-26427Remote Code ExecutionImportantCVSS:3.0 9.0 / 7.8
CVE-2021-41350SpoofingImportantCVSS:3.0 6.5 / 5.7
CVE-2021-41348Elevation of PrivilegeImportantCVSS:3.0 8.0 / 7.0
CVE-2021-34453Denial of ServiceImportantCVSS:3.0 7.5 / 6.5

Vulnerabilities mentioned in the table above are addressed in the following security updates. Exception is Exchange 2013 CU23 which seemingly only gets fixed for CVE-2021-26427; it is unclear if that is because of Exchange 2013’s lifecycle phase or because the problem does not exist in those builds.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU11Download15.2.986.9KB5007012
Exchange 2019 CU10Download15.2.922.14KB5007012
Exchange 2016 CU22Download15.1.2375.12KB5007012
Exchange 2016 CU21Download15.1.2308.15KB5007012
Exchange 2013 CU23Download15.0.1497.24KB5007011

More detailed information can be found at the original blog post here. Check the KB articles for any known release notes, such as the possible cross-forest Free/Busy issue and HTTP headers containing version information.

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU11 to Exchange 2019 CU10. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Exchange Updates ‚Äď September 2021

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016.

Be advised that these CUs will introduce something which is called the Exchange Emergency Mitigation Service. This service is designed to distribute and implement mitigations addressing potential threats. For this, the URL Rewrite Module needs to be installed on the Exchange server. When you have Exchange running on Windows Server 2012 R2, you will also need an update for the Universal C Runtime (KB2999226). Periodically, the EEM service will reach out to the Office Config Service (OCS) through endpoint https://officeclient.microsoft.com, and update its set of configured mitigations. More on EEM and managing its configuration here.

Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU1115.2.986.5KB5005334Download NY
Exchange 2016 CU2215.1.2375.7KB5005333DownloadUMLPNY

Exchange 2019 CU11 fixes:

  • 5006980 Bad signature error using PerfView in Exchange Server 2019 and 2016 (KB5006980)
  • 5006982 On-premises Exchange queues back up because of incorrect default value (KB5006982)
  • 5006983 Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
  • 5006984 PrepareAD fails if Computers container or RODCs are renamed or moved in Exchange Server 2019 and 2016 (KB5006984)
  • 5006986 Opening an Outlook message from the desktop removes line spacing (KB5006986)
  • 5006988 Export of .pst file is unexpectedly triggered again in Exchange Server 2019 and 2016 (KB5006988)
  • 5006989 Accepted domains with wildcards for subdomains are not honored when Edge server maps AddressSpaces (KB5006989)
  • 5006990 Exchange CU installation fails after you configure fallback to use default character set (5006990)
  • 5006991 Mail quota warning messages no longer sent daily in Exchange Server 2019 (KB5006991)
  • 5006992 No room lists found when trying to add a room in OWA in Exchange Server 2019 or 2016 (KB5006992)
  • 5006993 Can’t log on to OWA in Chrome if SSL is offloaded in Exchange Server 2019 and 2016 (KB5006993)
  • 5006994 BCC values not retained in Sent Items in a shared mailbox in Exchange Server 2019 and 2016 (5006994)
  • 5006995 Korean email messages display some recipients incorrectly in Exchange Server 2019 and 2016 (KB5006995)
  • 5006996 Export-AutoDiscoverConfig exposes admin password and does not work against domain controllers that require signing (KB5006997)
  • 5006997 Korean messages in OWA display “From” as “Start date” after you filter the list in Exchange Server 2019 and 2016
  • 5006999 “401” error and Outlook repeatedly prompts for credentials in Exchange Server 2019 (KB5006999)
  • 5007042 Error window appears when you view features in OWA Virtual Directory (KB5007042)
  • 5007043 Exchange Server SU updates Add/Remove Programs incorrectly (KB5007043)
  • 5007044 Start-MailboxAssistant not available in EMS in Exchange Server 2019 (KB5007044)

Exchange 2016 CU22 fixes:

  • 5006980 Bad signature error using PerfView in Exchange Server 2019 and 2016 (KB5006980)
  • 5006982 On-premises Exchange queues back up because of incorrect default value (KB5006982)
  • 5006983 Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
  • 5006984 PrepareAD fails if Computers container or RODCs are renamed or moved in Exchange Server 2019 and 2016 (KB5006984)
  • 5006986 Opening an Outlook message from the desktop removes line spacing (KB5006986)
  • 5006988 Export of .pst file is unexpectedly triggered again in Exchange Server 2019 and 2016 (KB5006988)
  • 5006989 Accepted domains with wildcards for subdomains are not honored when Edge server maps AddressSpaces (KB5006989)
  • 5006992 No room lists found when trying to add a room in OWA in Exchange Server 2019 or 2016 (KB5006992)
  • 5006993 Can’t log on to OWA in Chrome if SSL is offloaded in Exchange Server 2019 and 2016 (KB5006993)
  • 5006994 BCC values not retained in Sent Items in a shared mailbox in Exchange Server 2019 and 2016 (5006994)
  • 5006995 Korean email messages display some recipients incorrectly in Exchange Server 2019 and 2016 (KB5006995)
  • 5006996 Export-AutoDiscoverConfig exposes admin password and does not work against domain controllers that require signing (KB5006997)
  • 5006997 Korean messages in OWA display “From” as “Start date” after you filter the list in Exchange Server 2019 and 2016
  • 5007042 Error window appears when you view features in OWA Virtual Directory (KB5007042)
  • 5007043 Exchange Server SU updates Add/Remove Programs incorrectly (KB5007043)

Notes:

  • If these Cumulative Updates contain schema changes compared to the Cumulative Update you have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU‚Äôs & .NET.
  • Don‚Äôt forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher‚Äôs certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can‚Äôt uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange Updates ‚Äď February 2019

Update: Added note that Exchange 2010 SP3 RU26 adds support for Windows Server 2012 R2.

Today, the Exchange Team released the overdue quarterly Cumulative Updates for Exchange Server 2013, Exchange 2016 and Exchange 2019, as well as a Rollup for Exchange Server 2010.

The KB articles that describe the fixes in each release and product downloads are available as follows:

Version Build KB Download UMLP Schema
Exchange 2019 CU1 15.2.330.5 KB4471391 VLSC N
Exchange 2016 CU12 15.1.1713.5 KB4471392 Download UMLP N
Exchange 2013 CU22 15.0.1473.3 KB4345836 Download UMLP N
Exchange 2010 SP3 RU26 14.3.442.0 KB4487052 Download N

This update contain the following important changes and notes:

  • Due to issue CVE-2018-8581, the EWS architecture was changed, in particular push notifications. Details on the change are described in KB4490060; while the change has been tested against EWS clients such as Outlook for Mac and Skype for Business, organizations may need to test any applications leveraging EWS to estimate potential impact of installing these Cumulative Updates or Rollup. In addition, organizations are advised to password reset Exchange computer accounts.
  • These Exchange builds introduces a change in the shared permissions model (this does not apply to Split Permissions Model). Result is that Exchange no longer requires fargoing permissions in Active Directory (e.g. WriteDACL on root of domain). To makes these changes become effective:
    • For Exchange 2013-2019 Cumulative Updates, run setup using /PrepareAD. In multi-forest environments, this needs to be done in every domain of the forest.
    • For Exchange 2010, go through the instructions mentioned in KB4490059.
  • Organizations considering moving to the Split Permissions because of CVE-2018-8581 should know Microsoft fully supports both models. Switching can have serious consequences and therefor should be fully evaluated.
  • This build of Exchange 2019 introduces cmdlets to block usage of legacy authentication protocols for users through policies, e.g. Basic Authentication.
  • Prior to deploying Exchange 2016 CU12 or Exchange 2013 CU22 on Edge Transport servers, install Visual C++ 2012 Runtime.
  • These Cumulative Updates will remove the DisableLoopbackCheck key when present; removing this key was a mitigation for CVE-2018-8581.
  • Exchange 2010 SP3 RU26 adds support for Windows Server 2012 R2, to accommodate for the Hybrid Agent.

Exchange 2019 CU1 fixes:

  • 4487596¬†Emails are blocked in moderator mailbox Outbox folder when you send large volumes of emails in Exchange Server 2019
  • 4487591¬†The recipient scope setting doesn’t work for sibling domains when including OUs in the scope in Exchange Server 2019
  • 4487602¬†Outlook for Mac users can still expand a distribution group when hideDLMembership is set to true in Exchange Server 2019
  • 4488076¬†Outlook on the Web can’t be loaded when users use an invalid Windows language in operating system in Exchange Server 2019
  • 4488079¬†Exchange Server 2016 allows adding Exchange Server 2019 mailbox server into a same DAG and vice versa
  • 4488263¬†X-MS-Exchange-Organization-BCC header isn’t encoded correctly in Exchange Server 2019
  • 4488080¬†New-MigrationBatch doesn’t honor RBAC management scope in Exchange Server 2019
  • 4488262¬†Delivery Reports exception when tracking a meeting request that’s sent with a room resource in Exchange Server 2019
  • 4488268¬†Disable the irrelevant Query logs that’re created in Exchange Server 2019
  • 4488267¬†Test-OAuthConnectivity always fails when Exchange Server uses proxy to connect to Internet in Exchange Server 2019
  • 4488266¬†Client application doesn’t honor EwsAllowList in Exchange Server 2019
  • 4488265¬†“There are problems with the signature” error occurs for digital signature message if attachment filtering is enabled in Exchange Server 2019
  • 4488398¬†“The Microsoft Exchange Replication service may not be running on server” error when you add a mailbox database copy in Exchange Server 2019
  • 4488264¬†Mailbox that has a bad move request can’t be cleaned up from destination mailbox database in Exchange Server 2019
  • 4488261¬†Event ID 1002 when the store worker process crashes in Exchange Server 2019
  • 4488260¬†New-MailboxExportRequest and New-MailboxImportRequest don’t honor RBAC management scope in Exchange Server 2019
  • 4488259¬†MailTip shows wrong number of users for a distribution group if the users are in different domains in Exchange Server 2019
  • 4488258¬†OAuth authentication is removed when saving MAPI virtual directory settings in EAC in Exchange Server 2019
  • 4490060¬†Exchange Web Services Push Notifications can be used to gain unauthorized access
  • 4490059¬†Reducing permissions required to run Exchange Server using Shared Permissions Model

Exchange 2016 CU12 fixes:

  • 4487596¬†Emails are blocked in moderator mailbox Outbox folder when you send large volumes of emails in Exchange Server 2016
  • 4456241¬†You receive a meeting request that has a “not supported calendar message.ics” attachment in Exchange Server 2016
  • 4456239¬†New-MailboxRepairRequest doesn’t honor RBAC RecipientWriteScope restrictions in Exchange Server 2016
  • 4487591¬†The recipient scope setting doesn’t work for sibling domains when including OUs in the scope in Exchange Server 2016
  • 4468363¬†MRM does not work for mailboxes that have an online archive mailbox in Exchange Server
  • 4487603¬†“The action cannot be completed” error when you select many recipients in the Address Book of Outlook in Exchange Server 2016
  • 4487602¬†Outlook for Mac users can still expand a distribution group when hideDLMembership is set to true in Exchange Server 2016
  • 4488076¬†Outlook on the Web can’t be loaded when users use an invalid Windows language in operating system in Exchange Server 2016
  • 4488079¬†Exchange Server 2016 allows adding Exchange Server 2019 mailbox server into a same DAG and vice versa
  • 4488077¬†Can’t configure voice mail options when user is in different domain in Exchange Server 2016
  • 4488263¬†X-MS-Exchange-Organization-BCC header isn’t encoded correctly in Exchange Server 2016
  • 4488080¬†New-MigrationBatch doesn’t honor RBAC management scope in Exchange Server 2016
  • 4488262¬†Delivery Reports exception when tracking a meeting request that’s sent with a room resource in Exchange Server 2016
  • 4488268¬†Disable the irrelevant Query logs that’re created in Exchange Server 2016
  • 4488267¬†Test-OAuthConnectivity always fails when Exchange Server uses proxy to connect to Internet in Exchange Server 2016
  • 4488266¬†Client application doesn’t honor EwsAllowList in Exchange Server 2016
  • 4488265¬†“There are problems with the signature” error occurs for digital signature message if attachment filtering is enabled in Exchange Server 2016
  • 4488264¬†Mailbox that has a bad move request can’t be cleaned up from destination mailbox database in Exchange Server 2016
  • 4488261¬†Event ID 1002 when the store worker process crashes in Exchange Server 2016
  • 4488260¬†New-MailboxExportRequest and New-MailboxImportRequest don’t honor RBAC management scope in Exchange Server 2016
  • 4488259¬†MailTip shows wrong number of users for a distribution group if the users are in different domains in Exchange Server 2016
  • 4488258¬†OAuth authentication is removed when saving MAPI virtual directory settings in EAC in Exchange Server 2016
  • 4490060¬†Exchange Web Services Push Notifications can be used to gain unauthorized access
  • 4490059¬†Reducing permissions required to run Exchange Server using Shared Permissions Model

Exchange 2013 CU22 fixes:

  • 4487603¬†“The action cannot be completed” error when you select many recipients in the Address Book of Outlook in Exchange Server 2013
  • 4490060¬†Exchange Web Services Push Notifications can be used to gain unauthorized access
  • 4490059¬†Reducing permissions required to run Exchange Server using Shared Permissions Model

Exchange 2010 SP3 RU26 fixes:

  • 4490060¬†Exchange Web Services Push Notifications can be used to gain unauthorized access

Notes:

  • These Cumulative Updates do not contain schema changes compared to their previous Cumulative Update. However, due to changes in the permissions architecture, you need to run setup /PrepareAD to implement these changes as well as apply any RBAC changes, before deploying or updating Exchange servers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU‚Äôs & .NET.
  • Don‚Äôt forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to delay installing at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher‚Äôs certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can‚Äôt uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange Updates ‚Äď June 2018

Ex2013 LogoThe Exchange Team released the June updates for Exchange Server 2013 and 2016, and an additional Rollup 22 for Exchange Server 2010 Service Pack 3.

Apart from fixes and time zone changes, these updates contain the following important changes and notes:

  • As announced earlier, Exchange 2013 CU21 and Exchange 2016 CU10 require .NET Framework 4.7.1.
  • All three updates require the VC++ 2013 runtime library, because it is needed by a 3rd component in¬†WebReady Document Viewing in Exchange 2010/2013 and Data Loss Prevention in Exchange 2013/2016. Exchange 2010 SP3 RU22 will force installation of this VC++ runtime.
  • Updates include a critical security patch for Oracle Outside In libraries. More about the issue in MSRC advisory ADV180010.
  • Exchange 2013 CU21 and Exchange 2016 CU10 introduce support for directly creating and enabling remote shared mailboxes, e.g.
    New-RemoteMailbox [-Shared] [-Name remoteMailboxName]
    Enable-RemoteMailbox [-Identity user] [-Shared] [-RemoteRoutingAddress user@domain]
    Set-RemoteMailbox [-Name user] [-Type Shared]

    You need to run setup /PrepareAD to see these changes. More information in KB4133605.

  • This is the last planned Cumulative Update for Exchange 2013 as it enters Extended Support.
  • Exchange 2010 SP3 RU22 adds support for Windows Server 2016 Domain Controllers.

 

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU10 15.1.1531.3 KB4099852 Download UMLP No
Exchange 2013 CU21 15.0.1395.4 KB4099855 Download UMLP No
Exchange 2010 SP3 RU22 14.3.411.0 KB4295699 Download

Exchange 2016 CU10 fixes:

  • 4056609¬†Event ID 4999 and mailbox transport delivery service won’t start with Exchange Server 2016 CU7 installed
  • 4133605¬†Cmdlets to create or modify a remote shared mailbox in an on-premises Exchange environment
  • 4133620¬†“HTTP 500 due to ADReferralException”¬†error when a user tries to view detail properties of mailboxes in a child domain in Exchange Server
  • 4095974¬†“System.InvalidOperationException”¬†occurs when the “Enable-MailPublicFolder” cmdlet is run against a public folder in Exchange Server
  • 4095973¬†Set-ServerComponentState cmdlet does not honor the write scope defined in the RBAC management scope in Exchange Server
  • 4095993¬†HTTP 500 error when an administrator tries to manage regional settings in ECP on Windows Server 2016
  • 4294209¬†Cannot clear the ‚ÄúMaximum message size‚ÄĚ check box for Send messages or Receive messages in EAC in Exchange Server 2016
  • 4294208¬†“TooManyObjectsOpenedException” error when you run the “Get-PublicFolderMailboxDiagnostics” cmdlet in Exchange Server
  • 4294212¬†Cannot send VBScript-created messages in the Outlook 2016 client
  • 4294211¬†Cannot run ‚ÄúSet-CalendarProcessing‚ÄĚ cmdlets after you apply CU8 or CU9 for Exchange Server 2016
  • 4294210¬†Cannot edit an email attachment in OWA in an Exchange Server 2016 environment
  • 4294204¬†Changing “IsOutOfService” to “False” in an earlier Exchange Server version does not immediately update in a later Exchange Server environment
  • 4092041¬†Description of the security update for Microsoft Exchange Server 2013 and 2016: May 8, 2018

Exchange 2013 CU20 fixes:

  • 4133605¬†Cmdlets to create or modify a remote shared mailbox in an on-premises Exchange environment
  • 4133604¬†User can’t log on to a POP/IMAP account by using NTLM authentication in Exchange Server 2013
  • 4133618¬†Unexpected error occurs when running the Get-DatabaseAvailabilityGroupNetwork cmdlet in Exchange Server 2013
  • 4133620¬†‚ÄúHTTP 500 due to ADReferralException‚ÄĚ when a user tries to view detail properties of mailboxes in a child domain in Exchange Server
  • 4058473¬†An Office 365 primary mailbox user cannot be assigned full access permissions for an on-premises mailbox in Exchange Server
  • 4094167¬†The MSExchangeRPC service crashes with a System.NullReferenceException exception in Exchange Server 2013
  • 4095974¬†‚ÄúSystem.InvalidOperationException‚ÄĚ occurs when the “Enable-MailPublicFolder” cmdlet is run against a public folder in Exchange Server
  • 4092041¬†Description of the security update for Microsoft Exchange Server 2013 and 2016: May 8, 2018
  • 4294205¬†POP3 services intermittently stop in an Exchange Server 2013 environment
  • 4294204¬†Changing “IsOutOfService” to “False” in an earlier Exchange Server version does not immediately update in a later Exchange Server environment

Exchange 2010 Rollup 22 fixes:

  • 4295751 EWS impersonation not working when accessing resource mailboxes in a different site in Exchange Server 2010 SP3

Notes:

  • Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they introduce RBAC changes in your environment. Use setup /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU‚Äôs & .NET.
  • When upgrading your Exchange 2013 or 2016 installation, don‚Äôt forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher‚Äôs certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can‚Äôt uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.