Security Updates Exchange 2013-2019 (May2021)

Another month, another Patch Tuesday! A quick blog on May’s security updates for Exchange Server 2013 up to 2019.

These fixes address the following vulnerabilities:

VulnerabilityCategorySeverityRating
CVE-2021-31209SpoofingImportantCVSS:3.0 6.5 / 5.7
CVE-2021-31207Security Feature BypassModerateCVSS:3.0 6.6 / 5.8
CVE-2021-31198Remote Code ExecutionImportantCVSS:3.0 7.8 / 6.8
CVE-2021-31195Remote Code Execution ImportantCVSS:3.0 6.5 / 5.7

These vulnerabilities can be fixed by single security update for Exchange, which you can find below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU9Download15.2.858.12KB5003435KB5001779
Exchange 2019 CU8Download15.2.792.15KB5003435KB5001779
Exchange 2016 CU20Download15.1.2242.10KB5003435KB5001779
Exchange 2016 CU19Download15.1.2176.14KB5003435KB5001779
Exchange 2013 CU23Download15.0.1497.18KB5003435KB5001779

More detailed information can be found at the original blog post here, which also mentions some known issues and workarounds which you might encounter after deploying these updates.

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5003435-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation (other words: Do not just double-click on the .MSP file). And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

Security Update Exchange 2013-2019 (Apr2021)

15Apr2021: Added note about Pwn2Own vulnerabilities not being addressed by these updates.

A quick blog on April’s security updates for Exchange Server 2013 up to 2019. Details regarding these vulnerabilities are confidential, but organizations are recommended to install these updates based on their rating. With patching procedures still fresh in everyone’s memory, and every Exchange on-premises server being current after the Hafnium issues, that should not be a problem, right?

The fixes address the following Remote Code Execution vulnerabilities:

VulnerabilitySeverityRating
CVE-2021-28483CriticalCVSS:3.0 9.0 / 7.8
CVE-2021-28482HighCVSS:3.0 8.8 / 7.7
CVE-2021-28481CriticalCVSS:3.0 9.8 / 8.5
CVE-2021-28480CriticalCVSS:3.0 9.8 / 8.5

More detailed information can be found at the original blog post here. Note that the recently discovered at the Pwn2Own 2021 contest are not (yet) addressed by these updates, according to this blog by the contest organizers.

The exploit can be fixed by single security update, which you can find below.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU9Download15.2.858.10KB5001779
Exchange 2019 CU8Download15.2.792.13KB5001779
Exchange 2016 CU20Download15.1.2242.8KB5001779
Exchange 2016 CU19Download15.1.2176.12KB5001779
Exchange 2013 CU23Download15.0.1497.15KB5001779

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU20 to Exchange 2016 CU19. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5001779-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation (other words: Do not just double-click on the .MSP file). And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.