I have been away for a couple of days, but you already might have seen that Microsoft released a number of Security Updates for Exchange 2019, Exchange 2016 and Exchange 2013, but only for the last two Cumulative Updates (as always).
Security Updates are available for the following products:
| Exchange version | Download | Knowledge Base |
| Exchange 2019 CU11 | https://www.microsoft.com/en-us/download/details.aspx?id=103643 | KB5007409 |
| Exchange 2019 CU10 | https://www.microsoft.com/en-us/download/details.aspx?id=103642 | KB5007409 |
| Exchange 2016 CU22 | https://www.microsoft.com/en-us/download/details.aspx?id=103644 | KB5007409 |
| Exchange 2016 CU21 | https://www.microsoft.com/en-us/download/details.aspx?id=103645 | KB5007409 |
| Exchange 2013 CU23 | https://www.microsoft.com/en-us/download/details.aspx?id=103646 | KB5007409 |
The following vulnerabilities are addressed in these updates:
- CVE-2021-42321 (Remote Code Execution, Important)
- CVE-2021-42305 (Spoofing, Important)
- CVE-2021-41349 (Spoofing, Important)
Security Updates are CU specific and can only be applied to the specific Cumulative Update. When trying to install a Security Update for another CU, an error message will be returned.
Security Updates are also cumulative, so this Security Update contains all previous security updates for this specific CU. There’s no need to install previous Security Updates before this Security Update.
As always, after downloading a Security Update, start the Security Update from a command prompt with elevated privileges (‘Run as Administrator’) to prevent an erratic installation. This does not apply when installing a Security Update via Windows Update or WSUS.
Jaap Wesselius 