Exchange Updates (and more) – H1 2022

Posted on April 20, 2022 by Michel de Rooij

20220423: Added TLS 1.3 note.

The Exchange Team released the ~~quarterly~~ half-yearly Cumulative Updates for Exchange Server 2019 and Exchange 2016. You read that right, half-yearly updates are replacing the cadence of quarterly update servicing model for Exchange Server. Effectively, this will be Exchange 2019 only, as Exchange 2016 will be out of mainstream support in H2 of 2022, and will therefor only receive Security Updates after this round. Note that this change also alters the effective ‘current’ state (n-1 or later) of your Exchange Server environment from half year to one year.

And that’s not the only good news that comes with these sets of updates. In short:

If you run Exchange 2019 in Hybrid only for the purpose of managing recipients, you can now use Exchange 2019 CU12’s Exchange Management Tools to accomplish this; no more need to have an Exchange server running just for this. More details here.
Exchange 2019 CU12 will reintroduce the Hybrid Key option. Its Hybrid Configuration Wizard supports this licensing method.
Exchange 2019 CU12 support managing the Hybrid Agent with MFA-enabled accounts.
Exchange 2019 CU12 adds support for Windows Server 2022, both for its underlying operating system, as well as deployment in environments running Windows Server 2022 Domain Controllers.
Note that while Windows Server 2022 supports TLS 1.3, Exchange 2019 CU12 on WS2022 does not yet support it. Adding support is scheduled for somewhere next year.
The supportability matrix has been updated for the supported Windows Server 2022 scenarios.
Exchange Server is now also part of Microsoft’s Bounty Program, which is an indication of continued focus for customers still running Exchange Servers on-premises.

Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.

Version	Build	KB	Download	UMLP	Schema	AD
Exchange 2019 CU12	15.2.1118.7	KB5011156	Download		N	Y
Exchange 2016 CU23	15.1.2507.6	KB5011155	Download	UMLP	N	Y

Apart from DST changes and the fixes mentioned below, these Cumulative Updates also contain a change which will not allow using UNC paths with several cmdlets. More information about this change and cmdlets affected can be found here: KB5014278.

Exchange 2019 CU12 fixes:

5012757 “Migration user… can’t be found” error when using Start-MigrationUser after batch migration fails
5012758 Start-MailboxAssistant is not available in Exchange Server 2019
5012760 You can’t access OWA or ECP after installing the July 2021 security update
5012761 External attendees see “Send the Response Now” although no response was requested in Exchange Server
5012762 PST creation is unexpectedly triggered again during multiple mailbox export
5012765 Email stuck in queue starting from “2022/1/1 00:01:00 UTC+0” on all Exchange on-premises servers
5012766 Transport Services fail repeatedly because of * Accepted Domain
5012768 Start-MigrationUser and Stop-MigrationUser are unavailable for on-premises Exchange Server 2019 and 2016
5012769 Invalid New Auth Certificate for servers that are not on UTC time zone
5012770 No response from public folder for users migrating to Microsoft Exchange 2019
5012772 Items are skipped at the start of a new search page request
5012773 OWAMailboxPolicy is bypassed and high resolution profile images can be uploaded
5012774 Can’t change default path for Trace log data in Exchange Server 2019 and 2016
5012775 No additional global catalog column in the address book service logs
5012776 Exchange Server 2019 help link in OWA redirects users to online help for Exchange Server 2016
5012777 Can’t find forwarded messages that contain attachments in Exchange Server 2019
5012778 Exchange Server stops responding when processing PDF files with set transport rule
5012779 Invalid new auth certificate for servers that are not on UTC time zone
5012780 Disable-Mailbox does not remove LegacyExchangeDN attribute from on-premises Exchange 2019
5012781 Exchange Server 2019 and 2016 DLP doesn’t detect Chinese resident ID card numbers
5012782 MS ExchangeDiagnostic Service causes errors during service startup and initialization in Microsoft Exchange 2019
5012783 Can’t restore data of a mailbox when LegacyDN is empty in the database
5012784 Exchange 2016 CU21 and Exchange 2019 CU10 cannot save “Custom Attributes” changes in EAC
5012785 Read Only Domain Controllers (RODCs) in other domains do not get desired permissions
5012786 Forwarded meeting appointments are blocked or considered spam
5012787 Download domains created per CVE-2021-1730 don’t support ADFS authentication in OWA
5012789 Can’t use Copy Search Results after eDiscovery & Hold search
5012790 OWA doesn’t remove the “loading” image when a message is opened in Chrome and Edge browsers
5012791 MailboxAuditLog doesn’t work in localized (non-English) environments

Exchange 2016 CU23 fixes:

5012757 “Migration user… can’t be found” error when using Start-MigrationUser after batch migration fails
5012760 You can’t access OWA or ECP after installing the July 2021 security update
5012761 External attendees see “Send the Response Now” although no response was requested in Exchange Server
5012765 Email stuck in queue starting from “2022/1/1 00:01:00 UTC+0” on all Exchange on-premises servers
5012768 Start-MigrationUser and Stop-MigrationUser are unavailable for on-premises Exchange Server 2019 and 2016
5012769 Invalid New Auth Certificate for servers that are not on UTC time zone
5012774 Can’t change default path for Trace log data in Exchange Server 2019 and 2016
5012779 Invalid new auth certificate for servers that are not on UTC time zone
5012780 Disable-Mailbox does not remove LegacyExchangeDN attribute from on-premises Exchange 2019
5012781 Exchange Server 2019 and 2016 DLP doesn’t detect Chinese resident ID card numbers
5012782 MS ExchangeDiagnostic Service causes errors during service startup and initialization in Microsoft Exchange 2019
5012783 Can’t restore data of a mailbox when LegacyDN is empty in the database
5012784 Exchange 2016 CU21 and Exchange 2019 CU10 cannot save “Custom Attributes” changes in EAC
5012786 Forwarded meeting appointments are blocked or considered spam
5012787 Download domains created per CVE-2021-1730 don’t support ADFS authentication in OWA
5012789 Can’t use Copy Search Results after eDiscovery & Hold search
5012791 MailboxAuditLog doesn’t work in localized (non-English) environments
5012829 Group metrics generation fails in multidomain environment

Notes:

If these Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates Exchange 2013-2019 (Mar2022)

Posted on March 8, 2022 by Michel de Rooij

The Exchange PG released March updates for Exchange Server 2013, 2016 and 2019. More detailed information on patching and how to get current when running an earlier CU of Exchange, can be found at the original blog post here.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2022-23277	Remote Code Execution	Critical	CVSS:3.1 8.8 / 7.7
CVE-2022-24463	Spoofing	Important	CVSS:3.1 6.5 / 5.7

These vulnerabilities are addressed in the following security updates below. The exception is KB5010324 which does not fix CVE-2022-24463 for Exchange 2013. If this is because of the severity classification or the problem being non-existent for Exchange 2013, has not been not disclosed.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.22	KB5012698	KB5008631
Exchange 2019 CU10	Download	15.2.922.27	KB5012698	KB5008631
Exchange 2016 CU22	Download	15.1.2375.24	KB5012698	KB5008631
Exchange 2016 CU21	Download	15.1.2308.27	KB5012698	KB5008631
Exchange 2013 CU23	Download	15.0.1497.33	KB5010324	KB5008631

Finally, KB5010324 also contains the following additional fix for Exchange 2013:

5012925 RFC certificate timestamp validation in Exchange Server 2013

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU11 to Exchange 2019 CU10. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Jan2022)

Posted on January 11, 2022 by Michel de Rooij

Another year, another Patch Tuesday! A quick blog on January 2022’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2022-21969	Remote Code Execution	Important	CVSS:3.1 9.0 / 7.8
CVE-2022-21855	Remote Code Execution	Important	CVSS:3.1 9.0 / 7.8
CVE-2022-21846	Remote Code Execution	Critical	CVSS:3.0 9.0 / 7.8

Vulnerabilities mentioned in the table above are addressed in the following security updates.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.15	KB5008631	KB5007409
Exchange 2019 CU10	Download	15.2.922.20	KB5008631	KB5007409
Exchange 2016 CU22	Download	15.1.2375.18	KB5008631	KB5007409
Exchange 2016 CU21	Download	15.1.2308.21	KB5008631	KB5007409
Exchange 2013 CU23	Download	15.0.1497.28	KB5008631	KB5007409

More detailed information can be found at the original blog post here. The security update also fixes the OWA redirection problem for Exchange hybrid deployments introduced with the November security updates.

Security Updates Exchange 2013-2019 (Nov2021)

Posted on November 9, 2021 by Michel de Rooij

Another month, another Patch Tuesday! A quick blog on November’s security updates for Exchange Server 2013 up to 2019. The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-42321	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7
CVE-2021-42305	Spoofing	Important	CVSS:3.1 6.5 / 5.7
CVE-2021-41349	Spoofing	Important	CVSS:3.1 6.5 / 5.7

Vulnerabilities mentioned in the table above are addressed in the following security updates. Exception is Exchange 2013 CU23 which seemingly only gets fixed for CVE-2021-26427; it is unclear if that is because of Exchange 2013’s lifecycle phase or because the problem does not exist in those builds.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.14	KB5007409	KB5007012, KB5007011
Exchange 2019 CU10	Download	15.2.922.19	KB5007409	KB5007012, KB5007011
Exchange 2016 CU22	Download	15.1.2375.17	KB5007409	KB5007012, KB5007011
Exchange 2016 CU21	Download	15.1.2308.20	KB5007409	KB5007012, KB5007011
Exchange 2013 CU23	Download	15.0.1497.26	KB5007409	KB5007012, KB5007011

More detailed information can be found at the original blog post here. Check the KB articles for any known release notes, such as the possible cross-forest Free/Busy issue and HTTP headers containing version information.

Security Updates Exchange 2013-2019 (Oct2021)

Posted on October 12, 2021 by Michel de Rooij

Welcome to another Patch Tuesday! A quick blog on October’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-26427	Remote Code Execution	Important	CVSS:3.0 9.0 / 7.8
CVE-2021-41350	Spoofing	Important	CVSS:3.0 6.5 / 5.7
CVE-2021-41348	Elevation of Privilege	Important	CVSS:3.0 8.0 / 7.0
CVE-2021-34453	Denial of Service	Important	CVSS:3.0 7.5 / 6.5

Exchange	Download	Build	KB
Exchange 2019 CU11	Download	15.2.986.9	KB5007012
Exchange 2019 CU10	Download	15.2.922.14	KB5007012
Exchange 2016 CU22	Download	15.1.2375.12	KB5007012
Exchange 2016 CU21	Download	15.1.2308.15	KB5007012
Exchange 2013 CU23	Download	15.0.1497.24	KB5007011

Security Updates Exchange 2013-2019 (Jul2021)

Posted on July 13, 2021 by Michel de Rooij

Update July 20th: Added VC++2012 requirement to tip on running MT to prepare Exchange 2013 schema separately.

Another month, another Patch Tuesday! A quick blog on the July’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-31196	Remote Code Execution	Important	CVSS:3.0 7.2 / 6.3
CVE-2021-34470	Elevation of Privilege	Important	CVSS:3.0 8.0 / 7.0
CVE-2021-33768	Elevation of Privilege	Important	CVSS:3.0 8.0 / 7.0
CVE-2021-31206	Remote Code Execution	Important	CVSS:3.0 7.6 / 7.1

Note:

When looking at the MSRC information, you will notice 3 additional CVE issues addressed for July 13th. However, as far as I can see CVE-2021-34473, CVE-2021-34523 and CVE-2021-33766 were addressed in the April 2021 and eventually the May 2021 Security Updates, which also would explain MSRC’s mention of earlier CUs, such as Exchange 2019 CU8.
CVE-2021-31206 was the vulnerability discovered at the Pwn2Own 2021 contest.

Vulnerabilities mentioned in the table above are addressed in the following security updates:

Exchange	Download	Build	KB
Exchange 2019 CU10	Download	15.2.922.13	KB5004780
Exchange 2019 CU9	Download	15.2.858.15	KB5004780
Exchange 2016 CU21	Download	15.1.2308.14	KB5004779
Exchange 2016 CU20	Download	15.1.2242.12	KB5004779
Exchange 2013 CU23	Download	15.0.1497.23	KB5004778

Notes:

CVE-2021-33768 does not seem applicable to Exchange 2019 CU9 or Exchange 2016 CU20.
CVE-2021-34470 is only addressed in the security update for Exchange 2013 CU23.

More detailed information can be found at the original blog post here, which mentions some specific post-deployment instructions:

When running n-1 CU of Exchange 2019 (CU9) or Exchange 2016 (CU20), and you do not plan to upgrade to the latest CU yet but do wish to install this Security Update, you must also update the AD Schema using the CU10 or CU21 installation files.
When you are running Exchange 2013 CU23 in your organization, and no later Exchange builds are present, you need to deploy a schema update immediately after deploying the Security Update. After deploying the SU, from an elevated CMD prompt, run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms from Exchange’s bin folder. You you need to separate the update from deploying the update, see end of article for a tip.

The blog also mentions some issues, which are identical to the ones mentioned with the May 2021 Security Updates:

Accounts ending in ‘$’ cannot use EMS or access the ECP.
Cross-forest Free/Busy might stop working resulting in 400 Bad Request (solution).
Running cmdlets against EMC using invoked runspace might result in no-language mode error (info).

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KBXXXXXX-x64-en.msp.

On another note, after deploying the security updates Exchange will start reporting its version number in the HTTP response header.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

OWA/ECP and HMAC errors
There are reports of the Security Update breaking OWA/ECP. Symptoms are browsers displaying an HMAC error:

Server Error in '/owa' Application.

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
    
Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

It is likely related to “Microsoft Exchange Server Auth Certificate”, which can be expired, invalid or for other reasons not being picked up. The reported solution is renewing the “Microsoft Exchange Server Auth Certificate”. This procedure can be found here. Do note that it may take an hour for the certificate to become effective. Meanwhile, you can check the comments in the original Exchange Team post, which is lively with feedback and responses.

Exchange 2013 CU23 SU & Schema Updating
Because with Exchange 2013 CU23 schema preparation needs to occur immediately after deploying the SU on (the first) Exchange 2013 CU23 server, a tip might be that you could deploy Exchange 2013 CU23 Management Tools on a workstation, install the SU on that workstation, then run the PrepareSchema from there before deploying the SU on any Exchange 2013 CU23 server.

This might also be helpful in multi-domain organizations, or organizations where AD and Exchange are managed by different teams or require separate changes. Note that performing the schema update this way requires Visual C++ 2012 Runtime, otherwise you will run into a “Exchange Server setup didn’t complete the operation” and the ExchangeSetup.log will contain “Could not load file or assembly ‘Microsoft.Exchange.CabUtility.dll”.

Security Updates Exchange 2013-2019 (Nov2020)

Posted on November 10, 2020 by Michel de Rooij

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released November 10th. These fixes address the following vulnerability:

CVE-2020-17085: Microsoft Exchange Server Denial of Service Vulnerability
CVE-2020-17084: Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2020-17083: Microsoft Exchange Server Remote Code Execution Vulnerability

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU7	Download	15.2.721.4	KB4588741	KB4581424
Exchange 2019 CU6	Download	15.2.659.8	KB4588741	KB4581424
Exchange 2016 CU18	Download	15.1.2106.4	KB4588741	KB4581424
Exchange 2016 CU17	Download	15.1.2044.8	KB4588741	KB4581424
Exchange 2013 CU23	Download	15.0.1497.8	KB4588741	KB4581424

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

Security Updates Exchange 2013-2019 (Oct2020)

Posted on October 14, 2020 by Michel de Rooij

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released October 13th. These fixes address the following vulnerability:

CVE-2020-16969: Microsoft Exchange Information Disclosure Vulnerability
An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.

To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.

The security update corrects the way that Exchange handles these token validations.

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU7	Download	15.2.721.3	KB4581424	KB4577352
Exchange 2019 CU6	Download	15.2.659.7	KB4581424	KB4577352
Exchange 2016 CU18	Download	15.1.2106.3	KB4581424	KB4577352
Exchange 2016 CU17	Download	15.1.2044.7	KB4581424	KB4577352
Exchange 2013 CU23	Download	15.0.1497.7	KB4581424	KB4536988