Security Updates Exchange 2013-2019 (Aug2022)

Posted on August 9, 2022 by Michel de Rooij

The Exchange product group released Augustus updates for Exchange Server 2013, 2016 and 2019.

Note that per the previous May cycle, Security Updates will be packaged in an executable wrapper. This should trigger the running elevated prompt, thus preventing any potential issues when admins simply double-click the .MSP file. More about the new package format, options for logging and command-line switches are mentioned in an article dedicated to the change of distribution method here.

Windows Extended Protection
Special attention in this cycle for Windows Extended Protection, which needs to be enabled to address certain vulnerabilities. WEP is ONLY supported for specific versions of Exchange server – see the documentation for details regarding requirements and known issues. TLDR; – list might change over time, consult the pages linked earlier:

Requirements
- Supported on Exchange 2013 CU23, Exchange 2016 CU22 and Exchange Server 2019 CU11 or later, with the August 2022 Security Updates installed.
- Cannot be enabled on Exchange Server 2013 servers hosting Public Folders in co-existence with Exchange 2016/2019.
- Cannot be enabled on Exchange 2016 CU22 or Exchange 2019 CU11 or older hosting a Public Folder Hierarchy.
- Does not work with hybrid servers using Modern Hybrid configuration.
- SSL Offloading scenarios are currently not supported.
- Consistent TLS configuration is required across all Exchange servers.
Known Issues
- Retention Policies using action Move to Archive stops working.
- In Exchange 2013, the MAPI over HTTP probe OutlookMapiHttpCtpProbe might show FAILED.

To perform prerequisite checks and implement WEP, a supporting script ExchangeExtendedProtectionManagement.ps1 has been published. Since enabling WEP impacts how clients and Exchange server communicates, it is highly recommended to test this first on your specific configuration, especially with 3rd party products, before enabling it in production.

Security Updates
So, on with the security updates. The vulnerabilities addressed in the Security Updates for August are:

Vulnerability	Category	Severity	Rating
CVE-2022-21979	Information Disclosure	Important	CVSS:3.1 4.8 / 4.2
CVE-2022-21980	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24477	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24516	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-30134	Elevation of Privilege	Important	CVSS:3.1 7.6 / 6.6
CVE-2022-34692	Information Disclosure	Important	CVSS:3.1 5.3 / 4.6

The following Security Updates address this vulnerability:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.12	KB5015322	KB5014261
Exchange 2019 CU11	Download	15.2.986.29	KB5015322	KB5014261
Exchange 2016 CU23	Download	15.1.2507.12	KB5015322	KB5014261
Exchange 2016 CU22	Download	15.1.2375.31	KB5015322	KB5014261
Exchange 2013 CU23	Download	15.0.1497.40	KB5015321	KB5014260

These Security Updates also fix the following issues:

KB5017261 Start-DatabaseAvailabilityGroup fails with BlockedDeserializeTypeException
KB5017430 E-Discovery search fails in Exchange Online

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Mar2022)

Posted on March 8, 2022 by Michel de Rooij

The Exchange PG released March updates for Exchange Server 2013, 2016 and 2019. More detailed information on patching and how to get current when running an earlier CU of Exchange, can be found at the original blog post here.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2022-23277	Remote Code Execution	Critical	CVSS:3.1 8.8 / 7.7
CVE-2022-24463	Spoofing	Important	CVSS:3.1 6.5 / 5.7

These vulnerabilities are addressed in the following security updates below. The exception is KB5010324 which does not fix CVE-2022-24463 for Exchange 2013. If this is because of the severity classification or the problem being non-existent for Exchange 2013, has not been not disclosed.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.22	KB5012698	KB5008631
Exchange 2019 CU10	Download	15.2.922.27	KB5012698	KB5008631
Exchange 2016 CU22	Download	15.1.2375.24	KB5012698	KB5008631
Exchange 2016 CU21	Download	15.1.2308.27	KB5012698	KB5008631
Exchange 2013 CU23	Download	15.0.1497.33	KB5010324	KB5008631

Finally, KB5010324 also contains the following additional fix for Exchange 2013:

5012925 RFC certificate timestamp validation in Exchange Server 2013

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU11 to Exchange 2019 CU10. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Jan2022)

Posted on January 11, 2022 by Michel de Rooij

Another year, another Patch Tuesday! A quick blog on January 2022’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2022-21969	Remote Code Execution	Important	CVSS:3.1 9.0 / 7.8
CVE-2022-21855	Remote Code Execution	Important	CVSS:3.1 9.0 / 7.8
CVE-2022-21846	Remote Code Execution	Critical	CVSS:3.0 9.0 / 7.8

Vulnerabilities mentioned in the table above are addressed in the following security updates.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.15	KB5008631	KB5007409
Exchange 2019 CU10	Download	15.2.922.20	KB5008631	KB5007409
Exchange 2016 CU22	Download	15.1.2375.18	KB5008631	KB5007409
Exchange 2016 CU21	Download	15.1.2308.21	KB5008631	KB5007409
Exchange 2013 CU23	Download	15.0.1497.28	KB5008631	KB5007409

More detailed information can be found at the original blog post here. The security update also fixes the OWA redirection problem for Exchange hybrid deployments introduced with the November security updates.

Security Updates Exchange 2013-2019 (Nov2021)

Posted on November 9, 2021 by Michel de Rooij

Another month, another Patch Tuesday! A quick blog on November’s security updates for Exchange Server 2013 up to 2019. The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-42321	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7
CVE-2021-42305	Spoofing	Important	CVSS:3.1 6.5 / 5.7
CVE-2021-41349	Spoofing	Important	CVSS:3.1 6.5 / 5.7

Vulnerabilities mentioned in the table above are addressed in the following security updates. Exception is Exchange 2013 CU23 which seemingly only gets fixed for CVE-2021-26427; it is unclear if that is because of Exchange 2013’s lifecycle phase or because the problem does not exist in those builds.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.14	KB5007409	KB5007012, KB5007011
Exchange 2019 CU10	Download	15.2.922.19	KB5007409	KB5007012, KB5007011
Exchange 2016 CU22	Download	15.1.2375.17	KB5007409	KB5007012, KB5007011
Exchange 2016 CU21	Download	15.1.2308.20	KB5007409	KB5007012, KB5007011
Exchange 2013 CU23	Download	15.0.1497.26	KB5007409	KB5007012, KB5007011

More detailed information can be found at the original blog post here. Check the KB articles for any known release notes, such as the possible cross-forest Free/Busy issue and HTTP headers containing version information.

Security Updates Exchange 2013-2019 (Oct2021)

Posted on October 12, 2021 by Michel de Rooij

Welcome to another Patch Tuesday! A quick blog on October’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-26427	Remote Code Execution	Important	CVSS:3.0 9.0 / 7.8
CVE-2021-41350	Spoofing	Important	CVSS:3.0 6.5 / 5.7
CVE-2021-41348	Elevation of Privilege	Important	CVSS:3.0 8.0 / 7.0
CVE-2021-34453	Denial of Service	Important	CVSS:3.0 7.5 / 6.5

Exchange	Download	Build	KB
Exchange 2019 CU11	Download	15.2.986.9	KB5007012
Exchange 2019 CU10	Download	15.2.922.14	KB5007012
Exchange 2016 CU22	Download	15.1.2375.12	KB5007012
Exchange 2016 CU21	Download	15.1.2308.15	KB5007012
Exchange 2013 CU23	Download	15.0.1497.24	KB5007011