Despite the quarterly wave of Cumulative Updates being imminent, CVE-2017-11932 and ADV170023 warranted a quick release of Security Update KB4045655 for current versions of Exchange 2013 and Exchange 2016.
This security update fixes a vulnerability in OWA, which could allow elevation of privilege or spoofing if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.
You can download the security updates here:
Be advised the update may leave your Exchange services in a disabled state, despite installing correctly. In those cases, reconfigure those services to Automatic and start them manually.
Also note that this security update overrides an earlier update, KB4036108, which might cause Calendar Sharing issues when split DNS is used.
Security updates are Cumulative Update level specific. Be advised that updates may carry the same name, e.g. the update for CU7 and the one for CU6 are both Exchange2016-KB4045655-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2016-KB4045655-x64-en-CU7.msp.
As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.
Honeymoon caused some backlog, and one of the things to post was that the Exchange Team released the September updates for Exchange Server 2013 and 2016. Like the previous Cumulative Updates for these Exchange versions, Exchange 2013 CU18 and Exchange 2016 CU7 require .NET Framework 4.6.2; NET Framework 4.7.1 is currently being tested (4.7 will be skipped), and support for 4.7.1 is expected for the December updates.
Exchange 2016 CU7 fixes:
Exchange 2013 CU18 fixes:
- KB4040755 New health monitoring mailbox for databases is created when Health Manager Service is restarted in Exchange Server 2013
- KB4040121 You receive a corrupted attachment if email is sent from Outlook that connects to Exchange Server in cache mode
- KB4040120 Synchronization may fail when you use the OAuth protocol for authorization through EAS in Exchange Server 2013
- KB4036108 Security update for Microsoft Exchange: September 12, 2017
- Exchange 2016 CU7 requires Forest Functionality Level 2008R2 or later.
- Exchange 2016 CU7 includes schema changes, but Exchange 2013 CU18 does not. However, Exchange 2013 CU17 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
- When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
- Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
- NET Framework 4.7.1 is being tested by the Exchange Team, but .NET Framework 4.7.1 nor .NET Framework 4.7 are supported.
- When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
- If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
- Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
- Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
- The order in which you upgrade servers with Cumulative Updates is irrelevant.
Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.
Today, Cumulative Update 7 for Exchange Server 2013 was released by the Exchange Team (KB2986485). This update raises Exchange 2013 version number to 15.0.1044.25.
Note: Customers that run backups of their Exchange databases are advised to upgrade to CU7 and perform a post-upgrade full backup. This is due to a race condition which could prevent proper restoration of pre-CU7 Exchange databases.
This Cumulative Update contains a security update to fix a potential elevation of privilege issue (bulletin MS14-075), as well as the following fixes:
Exchange Server meetings in Russian time zones as well as names of time zones are incorrect after October 26, 2014
New-MailboxImportRequest causes unreadable characters when you import an ANSI format .pst file of Russian language
CalendarProcessing cmdlet does not generate delegate permissions to universal security groups in Exchange Server 2013
Advanced Find against the Sent Items folder in Outlook returns no result in Exchange Server 2013
Outlook Web App shows organization details on the contact card beyond the scope of user ABP in Exchange Server 2013
Shared mailbox cannot be opened in Outlook in an Exchange Server 2013 environment that has multiple domains
Cannot edit or delete forms from the organizational forms library in Exchange Server 2013
User who is trying to Log on to Exchange Admin Console is logged in to OWA instead
Move request fails if the IsExcludedFromProvisioning option is true in Exchange Server 2013
Exchange Server 2013 Cumulative Update 5 breaks free|busy lookup from Exchange Online to Exchange Server 2007
RejectMessageReasonText in transport rule appears in the user section of a DSN in Exchange Server 2013
TLS 1.0 is hardcoded for SMTP traffic encryption in Exchange Server 2013
Distribution group cannot send email messages to a mail enabled public folder in an Exchange Server 2013 environment
A cross-forest mailbox move from Exchange Server 2007 to Exchange Server 2013 finishes with CompletedWithWarnings status
New-MoveRequest cmdlet with RemoteLegacy parameter cannot perform a cross-forest mailbox move
Add-ADPermission and Remove-ADPermission can be run outside the management scope in Exchange Server 2013
Exchange Control Panel crashes when you proxy from Exchange 2013 to Exchange 2010
Cannot migrate mailboxes in a multiple domains environment in Exchange Server 2013
ContentIndexRetryQueueSize value for a passive node never drops to zero in Exchange Server 2013 Cumulative Update 6
Sound alerts do not work in Outlook Web App when new email or calendar notification is received in Exchange Server 2013
Event ID 4999 and 4401 when the Microsoft Exchange Replication service crashes in Exchange Server 2013
“550 5.7.1” NDR when you send messages to external recipients in an Exchange Server 2013 hybrid environment
Cannot see online archive mailbox after you upgrade to Exchange Server 2013 Cumulative Update 6
Subfolders under the Deleted Items folder are not visible in Outlook in an Exchange Server 2013 environment
You cannot route ActiveSync traffic to Exchange 2007 mailboxes after you upgrade to Exchange 2013 CU6
Exchange Online mailboxes cannot be managed by using EAC after you deploy Exchange Server 2013 CU6
Exchange Server 2013 databases unexpectedly fail over in a co-existence environment with Exchange Server 2007
OAB cannot be rebuilt if the .flt file is larger than two GB in Exchange Server 2013
PublicFolderMoveRequest deletes all read or unread state in target mailbox for each user in Exchange Server 2013
Resource Booking Assistant crashes after you upgrade to Exchange Server 2013 Cumulative Update 5
Category setting on an item in Outlook jumps the selection to the top of the list in an Exchange Server 2013 environment
MAPI virtual directory is missing from Default Web Site node
- When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current.
- CU7 adds support for hierarchies containing 250,000 modern public folders. Consult this article for co-existence scenarios.
- Be advised of OAB architectural changes introduced with CU5 which are documented here. If you are affected, it is recommended to update CAS servers prior to Mailbox servers.
- If you have installed the Interim Update to fix Hybrid Configuration Wizard, you can install the Cumulative Update over it – there is no need to uninstall the IU prior to installing CU6.
This Cumulative Update includes schema and AD changes, so make sure you run PrepareSchema / PrepareAD. After updating, the schema version will be 15312. If you want to speed up the process, you can temporarily disable certificate revocation checking as described here.
Note that Cumulative Updates can be installed directly, i.e. no need to install RTM or Service Packs prior to installing Cumulative Updates. Note that once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles. The order of upgrading servers is irrelevant, unlike with previous generations of Exchange.
Finally, and I can’t emphasize this enough: For any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the release article or TechNet forum for any issues.
You can download Exchange 2013 Cumulative Update 7 here; UM Language Packs can be found here.