Tag Archives: CU6

Security Updates Exchange 2013-2019 (Nov2020)

Posted on by
Reply

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released November 10th. These fixes address the following vulnerability:

  • CVE-2020-17085: Microsoft Exchange Server Denial of Service Vulnerability
  • CVE-2020-17084: Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2020-17083: Microsoft Exchange Server Remote Code Execution Vulnerability

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU7Download15.2.721.4KB4588741KB4581424
Exchange 2019 CU6Download15.2.659.8KB4588741KB4581424
Exchange 2016 CU18Download15.1.2106.4KB4588741KB4581424
Exchange 2016 CU17Download15.1.2044.8KB4588741KB4581424
Exchange 2013 CU23Download15.0.1497.8KB4588741KB4581424

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

Security Updates Exchange 2013-2019 (Oct2020)

Posted on by
Reply

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released October 13th. These fixes address the following vulnerability:

  • CVE-2020-16969: Microsoft Exchange Information Disclosure Vulnerability
    An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.

    To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.

    The security update corrects the way that Exchange handles these token validations.

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU7Download15.2.721.3KB4581424KB4577352
Exchange 2019 CU6Download15.2.659.7KB4581424KB4577352
Exchange 2016 CU18Download15.1.2106.3KB4581424KB4577352
Exchange 2016 CU17Download15.1.2044.7KB4581424KB4577352
Exchange 2013 CU23Download15.0.1497.7KB4581424KB4536988

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU17-KB4581424-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

Exchange Updates – June 2020

Posted on by
Reply

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016. Like the previous two Cumulative Updates, these require .NET Framework 4.8.

Apart from fixes as well as security updates included from the previous CU, these update contain the following changes for both builds:

  • Added additional file types to default OWA Mailbox Policy for Blocked File Extensions. More information in KB4559446.
  • Added support to Restore-RecoverableItems for easier usage. More details in KB4547707.

Links to the updates as well as a description of changes and fixes are described below.

VersionBuildKBDownloadUMLPSchema
Exchange 2019 CU615.2.659.4KB4556415VLSC N
Exchange 2016 CU1715.1.2044.4KB4556414DownloadUMLPN

Exchange 2019 CU6 fixes:

  • 4559441 Foreign language characters set in RejectMessageReasonText of a transport rule aren’t shown correctly in Exchange Server 2019
  • 4547707 Enable piping for Restore-RecoverableItems in Exchange Server 2019
  • 4549689 HMA EvoSTS certificate rollover causes authentication prompts due to stalled key on worker process spawn (warmup phase) in Exchange Server 2019
  • 4559446 Changes to Outlook on the web blocked file extensions and MIME types in Exchange Server 2019
  • 4559440 Export to a PST for an eDiscovery search fails Exchange Server 2019
  • 4559439 EAS creates failure report if a message with unknown recipients is in Drafts in Exchange Server 2019
  • 4559442 2080 Events caused by empty values in HKLM\SYSTEM\CurrentControlSet\Services\MSExchange ADAccess\Instance0 in Exchange Server 2019
  • 4559438 Edge Transport server hangs in Exchange Server 2019
  • 4559443 Managed Folder Assistant fails with Event ID 9004 NotInBagPropertyErrorException in Exchange Server 2019
  • 4559437 PR_RECIPIENT_ENTRYID is computed if no email address or type in Exchange Server 2019
  • 4559444 Conversion from HTML to RTF removes non-breaking space in Exchange Server 2019
  • 4559436 Attachments with properties (like Azure Information Protection labels) not always matching in Exchange Server 2019
  • 4559435 Introduce an OrganizationConfig flag to enable or disable recipient read session in Exchange Server 2019

Exchange 2016 CU17 fixes:

  • 4559444 Conversion from HTML to RTF removes non-breaking space in Exchange Server 2016
  • 4559435 Introduce an OrganizationConfig flag to enable or disable recipient read session in Exchange Server 2016
  • 4547707 Enable piping for Restore-RecoverableItems in Exchange Server 2019 and 2016
  • 4559436 Attachments with properties (like Azure Information Protection labels) don’t always match in Exchange Server 2016
  • 4559437 PR_RECIPIENT_ENTRYID is computed if no email address or type in Exchange Server 2016
  • 4559438 Edge Transport server hangs in Exchange Server 2016
  • 4559439 EAS creates failure report if a message with unknown recipients is in Drafts in Exchange Server 2016
  • 4559440 Export to a PST for an eDiscovery search fails in Exchange Server 2016
  • 4559441 Foreign language characters set in RejectMessageReasonText of a transport rule aren’t shown correctly in Exchange Server 2016
  • 4559442 2080 Events caused by empty values in HKLM\SYSTEM\CurrentControlSet\Services\MSExchange ADAccess\Instance0 in Exchange Server 2016
  • 4549689 HMA EvoSTS certificate rollover causes authentication prompts due to stalled key on worker process spawn (warmup phase) in Exchange Server 2016
  • 4559443 Managed Folder Assistant fails with Event ID 9004 NotInBagPropertyErrorException in Exchange Server 2016
  • 4559446 Changes to Outlook on the web blocked file extensions and MIME types in Exchange Server 2016

Notes:

  • These Cumulative Updates do not contain schema changes compared to their previous Cumulative Update.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to delay installing at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates for Exchange 2013 & 2016

Posted on by
9

Despite the quarterly wave of Cumulative Updates being imminent, CVE-2017-11932 and ADV170023 warranted a quick release of Security Update KB4045655 for current versions of Exchange 2013 and Exchange 2016.

This security update fixes a vulnerability in OWA, which could allow elevation of privilege or spoofing if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.

You can download the security updates here:

Be advised the update may leave your Exchange services in a disabled state, despite installing correctly. In those cases, reconfigure those services to Automatic and start them manually.

Also note that this security update overrides an earlier update, KB4036108, which might cause Calendar Sharing issues when split DNS is used.

Security updates are Cumulative Update level specific. Be advised that updates may carry the same name, e.g. the update for CU7 and the one for CU6 are both Exchange2016-KB4045655-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2016-KB4045655-x64-en-CU7.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

 

Ex2013 CU6 & Ex2007 coexistence issue for EAS

Posted on by
2

Ex2013 LogoA short notice on an issue when you have deployed Exchange 2013 Cumulative Update 6 in coexistence in an Exchange 2007 environment. Exchange fellow Tony Redmond did a write-up on the issue here.

The issue prevents ActiveSync users whose mailbox reside on Exchange 2007 to authenticate properly when their requests are being proxied from Exchange 2013 CU6 to Exchange 2007. It has been identified in KB2997847. Alternatively, you direct Exchange 2007 EAS traffic directly to Exchange 2007 CAS servers when they are internet-facing and published.

Be advised that a previous known issue in this deployment scenario with delegates and dismounting stores has been identified in KB2997209.

Both articles provide links to request these hotfixes.

Another Exchange fellow, Jason Sherry, is keeping track of resolved and open Exchange 2013 CU6 issues here.

Exchange2013-KB2997355-FixIt-v2

Posted on by
3

Ex2013 LogoAs mentioned earlier, when you have deployed Exchange Server 2013 Cumulative Update 6 in a Hybrid deployment, several Office 365-related mailbox functions will not show up in the Exchange Admin Center (EAC). The issue was identified by Microsoft in KB2997355 and a fix was published.

However, the script to fix the issue looks for the XAML file in the default Program Files folder, using the default Exchange installation folder. Better is to check the actual Exchange installation folder, which can easily be accomplished in Exchange Management Shell using the $exinstall environment variable, or by reading the folder from the registry.

To help those installing Exchange in a non-default installation folder, and I know there are quite a few of you out there, who are hesitant to correcting the installation path in the provided FixIt script, I have create an alternative version of the Exchange2013-KB2997355-FixIt script. This version will read the installation path from the registry. Not disturbing but changed as well is correcting the XAML file in one go, unlike the official script which performs 3 consecutive read/modify/write actions on the same file.

You can download the Exchange2013-KB2997355-FixIt-v2.ps1 script here.

 

Hybrid EAC, Ex2007 & In-Place Hold issues in Ex2013 CU6

Posted on by
8

Ex2013 LogoLast update September 2nd, 2014: Microsoft has released a ‘fix’ to correct the EAC issue. It is available through KB2997355. Be advised that the fix uses the default Program Files folder. If you have installed Exchange in a different location, I suggest using Exchange2013-KB2997355-FixIt-v2. Also added information on a serious In-Place Hold issue to this post.

Just a few days after the release of Exchange 2013 Cumulative Update 6, some issues have been identified which could pose issues for organizations utilizing Exchange 2013 Hybrid deployments, or organizations using Exchange 2013 in co-existence with Exchange 2007.

First, Exchange MVP fellow Jeff Guillet discovered that, when you have deployed Exchange 2013 CU6 on-premises in a Hybrid scenario, several Office 365-related mailbox functions will not show up in the Exchange Admin Center (EAC), e.g.

  • Create mailboxes in Exchange Online.
  • Move mailboxes to Exchange Online.
  • Create In-Place Archive mailboxes.

Of course, this functionality remains available when using Exchange Management Shell (EMS), or alternatively use the Office 365 Portal where possible. The severity of this issue therefor depends on how your operations procedures make use of these functions in EAC. This issue has been confirmed in KB2997355, which contains a fix but I suggest using my adjusted version available here, which will use the actual Exchange installation folder instead of assuming Exchange is installed using the default installation path.

The second issue was reported by another Exchange MVP, Ratish Nair. When using Exchange 2013 in co-existence with Exchange 2007, access to delegated mailboxes may cause Exchange 2013 databases to fail-over (or dismounts when you have single copies of databases) due to Microsoft.Exchange.Worker.Store crashing. This only happens when the user’s mailbox is on hosted on Exchange 2007 and the delegate mailbox is on Exchange 2013 CU6. This issue has been confirmed in KB2997209 which contains a link to request the related hotfix.

On a more serious note, Exchange MVP Tony Redmond reported that a serious flaw has been discovered in OWA, which allows delegates to bypass In-Place Hold and remove entire folders from a mailbox without a trace. This applies to Exchange Server 2013 as well as Office 365. Meanwhile, Microsoft has acknowledged the issue in KB2996477. Suggested workarounds are to put delegate mailboxes on In-Place Hold as well or to disable OWA access for those delegates.

Exchange 2013 Cumulative Update 6

Posted on by
1

Note: There are some known issues with CU6 RTM concerning Hybrid environments and when used in co-existence with Exhange 2007. Please check this post for updates.

Today, Cumulative Update 6 for Exchange Server 2013 was released by the Exchange Team (KB2936880). This update raises Exchange 2013 version number to 15.0.995.29.

This Cumulative Update increases the Public Folder for Exchange On-Premises to 100,000. It also fixes the ‘Hybrid Configuration Wizard ‘Subtask Checkprereqs Execution Failed’ issue I blogged about here (2988229).

This Cumulative Update contains the following fixes:

  • 2991934 Duplicate mailbox folders after migration to Exchange Server 2013
  • 2983512 RPC Client Access service crashes on an on-premises Mailbox server in an Exchange Server 2013 hybrid environment
  • 2983426 AutodiscoverSelfTestProbe fails when external URL is not set for EWS virtual directory in Exchange Server 2013
  • 2983423 AutodiscoverSelfTestProbe fails when external URL is not set for ECP virtual directory in Exchange Server 2013
  • 2983422 The ServerWideOffline component is set to Inactive after Exchange Server 2013 prerequisite check fails
  • 2983207 “532 5.3.2” NDR when you send an email message to a hidden mailbox in an Exchange Server 2013 environment
  • 2983066 Removed Default or Anonymous permission for Outlook folders cannot be restored in an Exchange Server 2013 environment
  • 2982769 “Topology service cannot find the OWA service” when you perform an eDiscovery search in Exchange Server 2013
  • 2982763 Mail-enabled public folder accepts email messages from unauthorized users in an Exchange Server 2013 environment
  • 2982762 OAB generation arbitration mailbox can be removed or disabled in an Exchange Server 2013 environment
  • 2982760 The Enter key submits duplicate sign-in forms to Outlook Web App in an Exchange Server 2013 environment
  • 2982759 You cannot access the archive mailbox of a delegated user after enabling MAPI over HTTP
  • 2982017 Incorrect voice mail message duration in an Exchange Server 2013 environment
  • 2981835 You cannot add attachments, delete or move many email messages in bulk in Outlook Web App
  • 2981466 MAPI/CDO client cannot connect to Exchange Server 2013
  • 2977279 You cannot disable journaling for protected voice mail in an Exchange Server 2013 environment
  • 2975599 Exchange Server 2010 public folder replication fails in an Exchange Server 2013 environment
  • 2975003 Calendar item body disappears in Outlook online mode in an Exchange Server 2013 environment
  • 2974339 OAB generation fails if FIPS is used in an Exchange Server 2013 environment
  • 2971270 Blank page after you sign in to Exchange Server 2013 EAC (formerly ECP)
  • 2970040 Folder Assistant rule does not work correctly in an Exchange Server 2013 environment
  • 2965689 EAS device cannot sync free/busy status if an item is created by EWS in an Exchange Server 2013 environment
  • 2963590 Message routing latency if IPv6 is enabled in Exchange Server 2013
  • 2961715 “Something went wrong” error in Outlook Web App may show an incorrect date
  • 2958434 Users cannot access mailboxes in OWA or EAS when mailbox database is removed

Notes:

  • There are some additional changes in the way Public Folders operate. Consult this article from the Exchange team for details on these changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to keep up to date.
  • Be advised of OAB architectural changes introduced with CU5 which are documented here. If you are affected, it is recommended to update CAS servers prior to Mailbox servers.
  • If you have installed the Interim Update to fix Hybrid Configuration Wizard, you can install the Cumulative Update over it – there is no need to uninstall the IU prior to installing CU6.

This Cumulative Update includes schema and AD changes, so make sure you run PrepareSchema / PrepareAD. After updating, the schema version will be 15303.

Note that Cumulative Updates can be installed directly, i.e. no need to install RTM or Service Packs prior to installing Cumulative Updates. Note that once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles. The order of upgrading servers is irrelevant, unlike with previous generations of Exchange.

Finally, and I can’t emphasize this enough: For any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the release article or TechNet forum for any issues.

You can download Exchange 2013 Cumulative Update 6 here; UM Language Packs can be found here. More details about these changes, preparing Active Directory or installing this Cumulative Update can be found in the original announcement.