On July 13, 2021 Microsoft has released a number of Security Updates for Exchange. Security Updates are released for:
- Exchange 2013 CU23
- Exchange 2016 CU20 and CU21
- Exchange 2019 CU9 and CU10
Some of the issues are marked ‘critical’ (Remote Code Execution) but no evidence have been found for any exploits in the wild, but it is strongly recommended to install these Security Updates as soon as possible.
The following CVE’s are addressed in these Security Updates:
- CVE-2021-34523 – Security Update Guide – Microsoft – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2021-34470 – Security Update Guide – Microsoft – Microsoft Exchange Server Elevation of Privilege VulnerabilityCVE-2021-31196 – Security Update Guide – Microsoft – Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-33768 – Security Update Guide – Microsoft – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2021-33766 – Security Update Guide – Microsoft – Microsoft Exchange Information Disclosure Vulnerability
- CVE-2021-31196 – Security Update Guide – Microsoft – Microsoft Exchange Server Remote Code Execution Vulnerability
Detailed information regarding the vulnerabilities can be found in the Security Update Guide.
As always, when installing the Security Update manually from a command prompt, use elevated privileges. If you do not, installation will succeed but under the hood things break! This is not an issue when installing using Windows Update.
Note. This Security Update has a dependency on the Schema update that came with Exchange 2016 CU21 and Exchange 2019 CU10. If you are running an older version of these CUs, please update the Schema first to the latest level. If you are still running Exchange 2013, and only Exchange 2013 at the latest level, you can install the Security Update, but you must run setup.exe /PrepareSchema from the V15\bin directory. The SU installation will install the latest schema files in the V15\bin directory which will be used by the setup application to make the schema changes. Failure to do so will result in an unprotected Exchange 2013 environment.
- SU for Exchange 2013 CU23 – https://www.microsoft.com/en-us/download/details.aspx?id=103312
- SU for Exchange 2016 CU20 – https://www.microsoft.com/en-us/download/details.aspx?id=103310
- SU for Exchange 2016 CU21 – https://www.microsoft.com/en-us/download/details.aspx?id=103311
- SU for Exchange 2019 CU9 – https://www.microsoft.com/en-us/download/details.aspx?id=103308
- SU for Exchange 2019 CU10 – https://www.microsoft.com/en-us/download/details.aspx?id=103309