Security Updates Exchange 2013-2019 (Mar2023)

Posted on March 14, 2023 by Michel de Rooij

The Exchange product group released March updates for Exchange Server 2013, 2016 and 2019. Be advised that the Exchange team also put out a notice for fixed vulnerability in Outlook (CVE-2023-23397), together with a supporting script to analyze mailboxes for this possible exploit (link), which is rather uncommon.

The vulnerability addressed in these Security Updates for Exchange Server is:

Vulnerability	Category	Severity	Rating
CVE-2022-21978	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.26	KB5024296	KB5023038
Exchange 2019 CU11	Download	15.2.986.42	KB5024296	KB5023038
Exchange 2016 CU23	Download	15.1.2507.23	KB5024296	KB5023038
Exchange 2013 CU23	Download	15.0.1497.48	KB5024296	KB5023038

Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

Other Issues
Apart from security fixes, these SUs also fix the following:

Issue	Exchange 2013	Exchange 2016	Exchange 2019
You can’t access Toolbox on Exchange after enabling EnableSerializationDataSigning	Yes	Yes	Yes
EEMS stops responding after TLS endpoint certificate update	Yes	Yes	Yes
Get-App and GetAppManifests fail and return an exception	Yes	Yes	Yes
EWS does not respond and returns an exception	Yes	Yes	Yes
An exception is returned while opening a template in the Exchange Toolbox	Yes	Yes	Yes

Notes:

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Feb2023)

Posted on February 15, 2023 by Michel de Rooij

[20Feb] Added information regarding issues reported.

The Exchange product group released February updates for Exchange Server 2013, 2016 and 2019.

The vulnerabilities addressed in these Security Updates are:

Vulnerability	Category	Severity	Rating
CVE-2023-21529	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7
CVE-2023-21706	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7
CVE-2023-21707	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7
CVE-2023-21710	Remote Code Execution	Important	CVSS:3.1 7.2 / 6.3

The Security Updates for each supported Exchange Server build are linked below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.25	KB5023038	KB5022193
Exchange 2019 CU11	Download	15.2.986.41	KB5023038	KB5022193
Exchange 2016 CU23	Download	15.1.2507.21	KB5023038	KB5022143
Exchange 2013 CU23	Download	15.0.1497.47	KB5023038	KB5022188

Other Issues
Apart from security fixes, these SUs also fix the following:

Issue	Exchange 2013	Exchange 2016	Exchange 2019
Export-UMPrompt fails with InvalidResponseException	Yes	Yes	N/A
Edge Transport service returns an “EseNtOutOfSessions” Exception	Yes	Yes	Yes
Exchange services in automatic startup mode do not start automatically	Yes	Yes	Yes
Data source returns incorrect checkpoint depth	Yes	Yes	Yes
Serialization fails while tried accessing Mailbox Searches in ECP	Yes	Yes	Yes
Transport delivery service mishandles iCAL events	Yes	Yes	Yes

Notes:

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

[20Feb] Shortly after release, people reported through the comments that EWS started having issues after deploying the security update. Symptoms reported were problems with (server side) searches, add-ins not loading, and calendar operations such as scheduling or sharing taking a long time to load. Since it’s EWS having problems, applications depending on this protocol also may stop to work, such as Teams.

Meanwhile, Microsoft acknowledged an issue with the initial publication, and published workaround. If experience issues and see the event 4999 in your Eventlog:

E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021.

follow the instructions in the following KB article link:

On each Exchange server, create a registry key
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics -Name 'DisableBaseTypeCheckForDeserialization' -Value 1 -Type String
Create a global override setting
New-SettingOverride -Name 'Adding learning location ClientExtensionCollectionFormatter' -Component Data -Section DeserializationBinderSettings -Parameters @('LearningLocations=ClientExtensionCollectionFormatter') -Reason 'Deserialization failed'
If you cannot wait until the override configuration kicks in (may take an one hour), refresh it manually:
- Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
- Restart IIS and the Windows Activation Proces on each server
  Restart-Service -Name W3SVC, WAS -Force

Be advised that event 4999 might still show up in your Eventlog, and it has been reported that this might not completely does away with the issues reported. Keep an eye on the original post and EHLO blog for any future updates.

Security Updates Exchange 2013-2019 (Jan2023)

Posted on January 10, 2023 by Michel de Rooij

The Exchange product group released January updates for Exchange Server 2013, 2016 and 2019.

The vulnerabilities addressed in these Security Updates are:

Vulnerability	Category	Severity	Rating
CVE-2023-21764	Elevation of Privilege	Important	CVSS:3.1 7.8 / 6.8
CVE-2023-21763	Elevation of Privilege	Important	CVSS:3.1 7.8 / 6.8
CVE-2023-21745	Spoofing	Important	CVSS:3.1 8.8 / 7.9
CVE-2023-21762	Spoofing	Important	CVSS:3.1 8.0 / 7.0
CVE-2023-21761	Information Disclosure	Important	CVSS:3.1 7.5 / 6.5

The Security Updates for each Exchange Server version are linked below. Note that only CVE-2023-21762 applies to Exchange Server 2013:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.21	KB5022193	KB5019758
Exchange 2019 CU11	Download	15.2.986.37	KB5022193	KB5019758
Exchange 2016 CU23	Download	15.1.2507.17	KB5022143	KB5019758
Exchange 2013 CU23	Download	15.0.1497.45	KB5022188	KB5019758

In case you are wondering why Exchange Server 2016 CU22 is not mentioned: CU22 went out of support, and only CU23 will continue to receive security updates. On another note, Exchange 2013 support will end in April, 2023, meaning it it will stop receiving security updates. Recommendation is to upgrade to a more recent version.

Payload Serialization Signing
Apart from fixing security issues, these SUs also introduce support for certificate-based signing of PowerShell serialization payloads. TLDR; it allows for signing data to identify possible tampering. More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. In order to verify or configure signing, a script has been published here, or check here if you prefer manual steps. Note that all your Exchange servers need to run this SU before you enable signing, as each Exchange server needs to understand the signing.

Other Issues
Apart from security fixes, these SUs also fix the following:

Issue	Ex2013	Ex2016	Ex2019
Store Worker Process stops and returns “System.NullReferenceExceptions” multiple times per day		Yes	Yes
Can’t record or play in Exchange Unified Messaging	Yes	Yes
Exchange Application log is flooded with Event ID 6010		Yes

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing. If you are running Exchange 2019 Management Tools-only (for recipient management), you do not need to deploy this SU.

Security Updates Exchange 2013-2019 (Nov2022)

Posted on November 8, 2022 by Michel de Rooij

The Exchange product group released November updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that were reported end of September. More on those in an earlier post.

Note: You can keep the current URLScan mitigations in-place, and remove them after installing these security updates at your convenience. The recommendation to disable Remote PowerShell for non-admins is upheld, but this is best practice regardless.

The vulnerabilities addressed in these Security Updates are:

Vulnerability	Category	Severity	Rating
CVE-2022-41040	Elevation of Privilege	Critical	CVSS:3.1 8.8 / 7.9
CVE-2022-41082	Elevation of Privilege	Important	CVSS:3.1 8.8 / 8.3
CVE-2022-41078	Elevation of Privilege	Important	CVSS:3.1 8.0 / 7.0
CVE-2022-41123	Elevation of Privilege	Important	CVSS:3.1 7.8 / 6.8
CVE-2022-41079	Elevation of Privilege	Important	CVSS:3.1 8.0 / 7.0
CVE-2022-41080	Elevation of Privilege	Critical	CVSS:3.1 8.8 / 7.7

The following Security Updates address these vulnerability for the Exchange builds mentioned, with the exception of CVE-2022-41123 which does not apply to Exchange Server 2013:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.20	KB5019758	KB5019077
Exchange 2019 CU11	Download	15.2.986.36	KB5019758	KB5019077
Exchange 2016 CU23	Download	15.1.2507.16	KB5019758	KB5019077
Exchange 2016 CU22	Download	15.1.2375.37	KB5019758	KB5019077
Exchange 2013 CU23	Download	15.0.1497.44	KB5019758	KB5019076

In case you missed it, per the Security Updates of August, you can enable Windows Extended Protection for increased protection against certain vulnerabilities. More information this process and its requirements can be found in the post on the August updates here.

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.

Security Updates Exchange 2013-2019 (Oct2022)

Posted on October 11, 2022 by Michel de Rooij

The Exchange product group released October updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates do NOT address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that have been reported on since end of September. For now, mitigate those by follow the instructions mentioned an earlier post here.

The vulnerabilities addressed in these Security Updates are mostly the same as the ones addressed by the Security Updates of August, with the exception of CVE-2022-34692. Also, the CVSS rating of CVE-2022-30134 has been adjusted:

Vulnerability	Category	Severity	Rating
CVE-2022-21979	Information Disclosure	Important	CVSS:3.1 4.8 / 4.2
CVE-2022-21980	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24477	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24516	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-30134	Elevation of Privilege	Important	CVSS:3.1 6.5 / 5.7 (was CVSS:3.1 7.6 / 6.6)

The following Security Updates address these vulnerability for the Exchange builds mentioned:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.15	KB5019077	KB5015322
Exchange 2019 CU11	Download	15.2.986.30	KB5019077	KB5015322
Exchange 2016 CU23	Download	15.1.2507.13	KB5019077	KB5015322
Exchange 2016 CU22	Download	15.1.2375.32	KB5019077	KB5015322
Exchange 2013 CU23	Download	15.0.1497.42	KB5019076	KB5015321

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Security Updates Exchange 2013-2019 (Aug2022)

Posted on August 9, 2022 by Michel de Rooij

The Exchange product group released Augustus updates for Exchange Server 2013, 2016 and 2019.

Note that per the previous May cycle, Security Updates will be packaged in an executable wrapper. This should trigger the running elevated prompt, thus preventing any potential issues when admins simply double-click the .MSP file. More about the new package format, options for logging and command-line switches are mentioned in an article dedicated to the change of distribution method here.

Windows Extended Protection
Special attention in this cycle for Windows Extended Protection, which needs to be enabled to address certain vulnerabilities. WEP is ONLY supported for specific versions of Exchange server – see the documentation for details regarding requirements and known issues. TLDR; – list might change over time, consult the pages linked earlier:

Requirements
- Supported on Exchange 2013 CU23, Exchange 2016 CU22 and Exchange Server 2019 CU11 or later, with the August 2022 Security Updates installed.
- Cannot be enabled on Exchange Server 2013 servers hosting Public Folders in co-existence with Exchange 2016/2019.
- Cannot be enabled on Exchange 2016 CU22 or Exchange 2019 CU11 or older hosting a Public Folder Hierarchy.
- Does not work with hybrid servers using Modern Hybrid configuration.
- SSL Offloading scenarios are currently not supported.
- Consistent TLS configuration is required across all Exchange servers.
Known Issues
- Retention Policies using action Move to Archive stops working.
- In Exchange 2013, the MAPI over HTTP probe OutlookMapiHttpCtpProbe might show FAILED.

To perform prerequisite checks and implement WEP, a supporting script ExchangeExtendedProtectionManagement.ps1 has been published. Since enabling WEP impacts how clients and Exchange server communicates, it is highly recommended to test this first on your specific configuration, especially with 3rd party products, before enabling it in production.

Security Updates
So, on with the security updates. The vulnerabilities addressed in the Security Updates for August are:

Vulnerability	Category	Severity	Rating
CVE-2022-21979	Information Disclosure	Important	CVSS:3.1 4.8 / 4.2
CVE-2022-21980	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24477	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24516	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-30134	Elevation of Privilege	Important	CVSS:3.1 7.6 / 6.6
CVE-2022-34692	Information Disclosure	Important	CVSS:3.1 5.3 / 4.6

The following Security Updates address this vulnerability:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.12	KB5015322	KB5014261
Exchange 2019 CU11	Download	15.2.986.29	KB5015322	KB5014261
Exchange 2016 CU23	Download	15.1.2507.12	KB5015322	KB5014261
Exchange 2016 CU22	Download	15.1.2375.31	KB5015322	KB5014261
Exchange 2013 CU23	Download	15.0.1497.40	KB5015321	KB5014260

These Security Updates also fix the following issues:

KB5017261 Start-DatabaseAvailabilityGroup fails with BlockedDeserializeTypeException
KB5017430 E-Discovery search fails in Exchange Online

Security Updates Exchange 2013-2019 (Mar2022)

Posted on March 8, 2022 by Michel de Rooij

The Exchange PG released March updates for Exchange Server 2013, 2016 and 2019. More detailed information on patching and how to get current when running an earlier CU of Exchange, can be found at the original blog post here.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2022-23277	Remote Code Execution	Critical	CVSS:3.1 8.8 / 7.7
CVE-2022-24463	Spoofing	Important	CVSS:3.1 6.5 / 5.7

These vulnerabilities are addressed in the following security updates below. The exception is KB5010324 which does not fix CVE-2022-24463 for Exchange 2013. If this is because of the severity classification or the problem being non-existent for Exchange 2013, has not been not disclosed.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.22	KB5012698	KB5008631
Exchange 2019 CU10	Download	15.2.922.27	KB5012698	KB5008631
Exchange 2016 CU22	Download	15.1.2375.24	KB5012698	KB5008631
Exchange 2016 CU21	Download	15.1.2308.27	KB5012698	KB5008631
Exchange 2013 CU23	Download	15.0.1497.33	KB5010324	KB5008631

Finally, KB5010324 also contains the following additional fix for Exchange 2013:

5012925 RFC certificate timestamp validation in Exchange Server 2013

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU11 to Exchange 2019 CU10. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Jan2022)

Posted on January 11, 2022 by Michel de Rooij

Another year, another Patch Tuesday! A quick blog on January 2022’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2022-21969	Remote Code Execution	Important	CVSS:3.1 9.0 / 7.8
CVE-2022-21855	Remote Code Execution	Important	CVSS:3.1 9.0 / 7.8
CVE-2022-21846	Remote Code Execution	Critical	CVSS:3.0 9.0 / 7.8

Vulnerabilities mentioned in the table above are addressed in the following security updates.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.15	KB5008631	KB5007409
Exchange 2019 CU10	Download	15.2.922.20	KB5008631	KB5007409
Exchange 2016 CU22	Download	15.1.2375.18	KB5008631	KB5007409
Exchange 2016 CU21	Download	15.1.2308.21	KB5008631	KB5007409
Exchange 2013 CU23	Download	15.0.1497.28	KB5008631	KB5007409

More detailed information can be found at the original blog post here. The security update also fixes the OWA redirection problem for Exchange hybrid deployments introduced with the November security updates.

Security Updates Exchange 2013-2019 (Nov2021)

Posted on November 9, 2021 by Michel de Rooij

Another month, another Patch Tuesday! A quick blog on November’s security updates for Exchange Server 2013 up to 2019. The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-42321	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7
CVE-2021-42305	Spoofing	Important	CVSS:3.1 6.5 / 5.7
CVE-2021-41349	Spoofing	Important	CVSS:3.1 6.5 / 5.7

Vulnerabilities mentioned in the table above are addressed in the following security updates. Exception is Exchange 2013 CU23 which seemingly only gets fixed for CVE-2021-26427; it is unclear if that is because of Exchange 2013’s lifecycle phase or because the problem does not exist in those builds.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.14	KB5007409	KB5007012, KB5007011
Exchange 2019 CU10	Download	15.2.922.19	KB5007409	KB5007012, KB5007011
Exchange 2016 CU22	Download	15.1.2375.17	KB5007409	KB5007012, KB5007011
Exchange 2016 CU21	Download	15.1.2308.20	KB5007409	KB5007012, KB5007011
Exchange 2013 CU23	Download	15.0.1497.26	KB5007409	KB5007012, KB5007011

More detailed information can be found at the original blog post here. Check the KB articles for any known release notes, such as the possible cross-forest Free/Busy issue and HTTP headers containing version information.

Security Updates Exchange 2013-2019 (Oct2021)

Posted on October 12, 2021 by Michel de Rooij

Welcome to another Patch Tuesday! A quick blog on October’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-26427	Remote Code Execution	Important	CVSS:3.0 9.0 / 7.8
CVE-2021-41350	Spoofing	Important	CVSS:3.0 6.5 / 5.7
CVE-2021-41348	Elevation of Privilege	Important	CVSS:3.0 8.0 / 7.0
CVE-2021-34453	Denial of Service	Important	CVSS:3.0 7.5 / 6.5

Exchange	Download	Build	KB
Exchange 2019 CU11	Download	15.2.986.9	KB5007012
Exchange 2019 CU10	Download	15.2.922.14	KB5007012
Exchange 2016 CU22	Download	15.1.2375.12	KB5007012
Exchange 2016 CU21	Download	15.1.2308.15	KB5007012
Exchange 2013 CU23	Download	15.0.1497.24	KB5007011