The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016. Be advised that Exchange 2016 will receive its final CU in March, 2021.

Links to the updates as well as a description of changes and fixes are described below.

Exchange 2019 CU8 fixes:

• 4588297 Attachments can’t be downloaded or previewed from Outlook Web App
• 4583531 Design change about inline images will be forced to download but not open in a new tab of OWA in Exchange Server 2019
• 4583532 ELC MRM archiving fails due to DomainName in AuthServer in Exchange Server 2019
• 4583533 Exchange Server 2019 installation fails with error “The user has insufficient access rights” 
• 4583534 Event ID 65535 System.Runtime.Serialization errors in Application log in Exchange Server 2019
• 4583535 New-Moverequest, Resume-Moverequest, and Remove-Moverequest not logged in Audit logs in Exchange Server 2019
• 4583536 Set-MailboxFolderPermission is included in Mail Recipient Creation in Exchange Server 2019
• 4583537 Update Korean word breaker in Exchange Server 2019
• 4583538 Microsoft Teams REST calls exceed the default value of maxQueryStringLength in Exchange Server 2019
• 4583539 Non-breaking space is visible in message body in Outlook in Exchange Server 2019
• 4583542 Server assisted search in Outlook doesn’t return more than 175 items in Exchange Server 2019
• 4583544 Lots of LDAP requests for FE MAPI w3wp lead to DDoS on DCs in Exchange Server 2019
• 4583545 Make DomainName in Authserver a multivalued parameter in Exchange Server 2019
• 4593465 Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020

Exchange 2016 CU19 fixes:

• 4588297 Attachments can’t be downloaded or previewed from Outlook Web App
• 4583531 Design change about inline images will be forced to download but not open in a new tab of OWA in Exchange Server 2016
• 4583532 ELC MRM archiving fails due to DomainName in AuthServer in Exchange Server 2016
• 4583533 Exchange Server 2016 installation fails with error “The user has insufficient access rights” 
• 4583534 Event ID 65535 System.Runtime.Serialization errors in Application log in Exchange Server 2016
• 4583535 New-Moverequest, Resume-Moverequest, and Remove-Moverequest not logged in Audit logs in Exchange Server 2016
• 4583536 Set-MailboxFolderPermission is included in Mail Recipient Creation in Exchange Server 2016
• 4583537 Update Korean word breaker in Exchange Server 2016
• 4583538 Microsoft Teams REST calls exceed the default value of maxQueryStringLength in Exchange Server 2016
• 4583539 Non-breaking space is visible in message body in Outlook in Exchange Server 2016
• 4583545 Make DomainName in Authserver a multivalued parameter in Exchange Server 2016
• 4593465 Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020

Notes:

• These Cumulative Updates contain schema changes compared to the previous Cumulative Update. This requires you to run /PrepareSchema. Also, Active Directory changes require you to run PrepareAD (which also can perform the schema update, depending permissions). Consult the Exchange schema versions page for object version numbers.
• When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
• Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
• When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to trail at most one version (n-1).
• If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
• Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
• Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
• The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released October 13th. These fixes address the following vulnerability:

• CVE-2020-16969: Microsoft Exchange Information Disclosure Vulnerability
  An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.
  
  To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.
  
  The security update corrects the way that Exchange handles these token validations.

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU17-KB4581424-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.