Security Updates for Exchange 2013 & 2016

Despite the quarterly wave of Cumulative Updates being imminent, CVE-2017-11932 and ADV170023 warranted a quick release of Security Update KB4045655 for current versions of Exchange 2013 and Exchange 2016.

This security update fixes a vulnerability in OWA, which could allow elevation of privilege or spoofing if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.

You can download the security updates here:

Be advised the update may leave your Exchange services in a disabled state, despite installing correctly. In those cases, reconfigure those services to Automatic and start them manually.

Also note that this security update overrides an earlier update, KB4036108, which might cause Calendar Sharing issues when split DNS is used.

Security updates are Cumulative Update level specific. Be advised that updates may carry the same name, e.g. the update for CU7 and the one for CU6 are both Exchange2016-KB4045655-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2016-KB4045655-x64-en-CU7.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

 

Exchange Updates – September 2017

Ex2013 LogoHoneymoon caused some backlog, and one of the things to post was that the Exchange Team released the September updates for Exchange Server 2013 and 2016. Like the previous Cumulative Updates for these Exchange versions, Exchange 2013 CU18 and Exchange 2016 CU7 require .NET Framework 4.6.2; NET Framework 4.7.1 is currently being tested (4.7 will be skipped), and support for 4.7.1 is expected for the December updates.

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU7 15.1.1261.35 KB4018115 Download UMLP Yes
Exchange 2013 CU18 15.0.1347.2 KB4022631 Download UMLP No
  • KB 4040754 “Update UseDatabaseQuotaDefaults to false” error occurs when you change settings of user mailbox in Exchange Server 2016
  • KB 4040121 You receive a corrupted attachment if email is sent from Outlook that connects to Exchange Server in cache mode
  • KB4036108 Security update for Microsoft Exchange: September 12, 2017

Exchange 2013 CU18 fixes:

  • KB4040755 New health monitoring mailbox for databases is created when Health Manager Service is restarted in Exchange Server 2013
  • KB4040121 You receive a corrupted attachment if email is sent from Outlook that connects to Exchange Server in cache mode
  • KB4040120 Synchronization may fail when you use the OAuth protocol for authorization through EAS in Exchange Server 2013
  • KB4036108 Security update for Microsoft Exchange: September 12, 2017

Notes:

  • Exchange 2016 CU7 requires Forest Functionality Level 2008R2 or later.
  • Exchange 2016 CU7 includes schema changes, but Exchange 2013 CU18 does not. However, Exchange 2013 CU17 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • NET Framework 4.7.1 is being tested by the Exchange Team, but .NET Framework 4.7.1 nor .NET Framework 4.7 are supported.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange 2013 Cumulative Update 7

Ex2013 LogoToday, Cumulative Update 7 for Exchange Server 2013 was released by the Exchange Team (KB2986485). This update raises Exchange 2013 version number to 15.0.1044.25.

Note: Customers that run backups of their Exchange databases are advised to upgrade to CU7 and perform a post-upgrade full backup. This is due to a race condition which could prevent proper restoration of pre-CU7 Exchange databases.

This Cumulative Update contains a security update to fix a potential elevation of privilege issue (bulletin MS14-075), as well as the following fixes:

  • 3004235 Exchange Server meetings in Russian time zones as well as names of time zones are incorrect after October 26, 2014
  • 3012655 New-MailboxImportRequest causes unreadable characters when you import an ANSI format .pst file of Russian language
  • 3012652 CalendarProcessing cmdlet does not generate delegate permissions to universal security groups in Exchange Server 2013
  • 3009631 Advanced Find against the Sent Items folder in Outlook returns no result in Exchange Server 2013
  • 3009612 Outlook Web App shows organization details on the contact card beyond the scope of user ABP in Exchange Server 2013
  • 3009291 Shared mailbox cannot be opened in Outlook in an Exchange Server 2013 environment that has multiple domains
  • 3008453 Cannot edit or delete forms from the organizational forms library in Exchange Server 2013
  • 3008438 User who is trying to Log on to Exchange Admin Console is logged in to OWA instead
  • 3006672 Move request fails if the IsExcludedFromProvisioning option is true in Exchange Server 2013
  • 3005391 Exchange Server 2013 Cumulative Update 5 breaks free|busy lookup from Exchange Online to Exchange Server 2007
  • 3003986 RejectMessageReasonText in transport rule appears in the user section of a DSN in Exchange Server 2013
  • 3001217 TLS 1.0 is hardcoded for SMTP traffic encryption in Exchange Server 2013
  • 3001037 Distribution group cannot send email messages to a mail enabled public folder in an Exchange Server 2013 environment
  • 2999031 A cross-forest mailbox move from Exchange Server 2007 to Exchange Server 2013 finishes with CompletedWithWarnings status
  • 2998144 New-MoveRequest cmdlet with RemoteLegacy parameter cannot perform a cross-forest mailbox move
  • 2988553 Add-ADPermission and Remove-ADPermission can be run outside the management scope in Exchange Server 2013
  • 2981538 Exchange Control Panel crashes when you proxy from Exchange 2013 to Exchange 2010
  • 3014051 Cannot migrate mailboxes in a multiple domains environment in Exchange Server 2013
  • 3012986 ContentIndexRetryQueueSize value for a passive node never drops to zero in Exchange Server 2013 Cumulative Update 6
  • 3004011 Sound alerts do not work in Outlook Web App when new email or calendar notification is received in Exchange Server 2013
  • 3003580 Event ID 4999 and 4401 when the Microsoft Exchange Replication service crashes in Exchange Server 2013
  • 3003518 “550 5.7.1” NDR when you send messages to external recipients in an Exchange Server 2013 hybrid environment
  • 3003068 Cannot see online archive mailbox after you upgrade to Exchange Server 2013 Cumulative Update 6
  • 3000944 Subfolders under the Deleted Items folder are not visible in Outlook in an Exchange Server 2013 environment
  • 2997847 You cannot route ActiveSync traffic to Exchange 2007 mailboxes after you upgrade to Exchange 2013 CU6
  • 2997355 Exchange Online mailboxes cannot be managed by using EAC after you deploy Exchange Server 2013 CU6
  • 2997209 Exchange Server 2013 databases unexpectedly fail over in a co-existence environment with Exchange Server 2007
  • 2995263 OAB cannot be rebuilt if the .flt file is larger than two GB in Exchange Server 2013
  • 2994216 PublicFolderMoveRequest deletes all read or unread state in target mailbox for each user in Exchange Server 2013
  • 2993871 Resource Booking Assistant crashes after you upgrade to Exchange Server 2013 Cumulative Update 5
  • 2983216 Category setting on an item in Outlook jumps the selection to the top of the list in an Exchange Server 2013 environment
  • 2931223 MAPI virtual directory is missing from Default Web Site node

Notes:

  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current.
  • CU7 adds support for hierarchies containing 250,000 modern public folders. Consult this article for co-existence scenarios.
  • Be advised of OAB architectural changes introduced with CU5 which are documented here. If you are affected, it is recommended to update CAS servers prior to Mailbox servers.
  • If you have installed the Interim Update to fix Hybrid Configuration Wizard, you can install the Cumulative Update over it – there is no need to uninstall the IU prior to installing CU6.

This Cumulative Update includes schema and AD changes, so make sure you run PrepareSchema / PrepareAD. After updating, the schema version will be 15312. If you want to speed up the process, you can temporarily disable certificate revocation checking as described here.

Note that Cumulative Updates can be installed directly, i.e. no need to install RTM or Service Packs prior to installing Cumulative Updates. Note that once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles. The order of upgrading servers is irrelevant, unlike with previous generations of Exchange.

Finally, and I can’t emphasize this enough: For any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the release article or TechNet forum for any issues.

You can download Exchange 2013 Cumulative Update 7 here; UM Language Packs can be found here.