On january 11, 2022 Microsoft released new Security Updates for Exchange versions:
- Exchange 2013 CU23
- Exchange 2016 CU21, Exchange 2016 CU22
- Exchange 2019 CU10, Exchange 2019 CU11
The following vulnerabilities have been addressed in these Security Updates:
- CVE-2022-21846 | Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2022-21855 | Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2022-21969 | Microsoft Exchange Server Remote Code Execution Vulnerability
No exploits have been found in the wild, but it is recommended to install these Security Updates as soon as possible.
These updates are targeted toward Exchange server on-premises, including Exchange servers used in a hybrid configuration.
Please note the following:
- Run the Exchange Server Healthcheck script on your Exchange server to get an overview of all issues in your environment, including installed Security Updates and Cumulative Updates versions.
- If running an old (and unsupported!) version of Exchange server, please update to the latest CU to get in a supported state and install these Security Updates.
- When installing manually, start the update from a command prompt with elevated privileges. If you fail to do so, it will look like installation successfully finishes, but various issues will occur. This is not needed when installing using Windows Update or WSUS.
- Security Updates are also cumulative, so this Security Updates contains all previous Security Updates for this specific Cumulative Update. There’s no need to install previous Security Updates before installing this Security Update.
- The December 2021 Cumulative Update is postponed, check the link on the Microsoft site. Microsoft does not release Security Updates and Security Updates in the same month, so do not except a new Cumulative Update anytime soon.
- This Security Update does not contain a fix for the Y2K22 problem that popped up on January 1, see the Email stuck in Exchange on-premises Transport Queues article which also contains the solution.
- As always, download and deploy in your test environment to see if it all works well in your environment.
| Exchange version | Download | Knowledge base |
| Exchange 2013 CU23 | https://www.microsoft.com/en-us/download/details.aspx?id=103857 | KB5008631 |
| Exchange 2016 CU21 | https://www.microsoft.com/en-us/download/details.aspx?id=103856 | KB5008631 |
| Exchange 2016 CU22 | https://www.microsoft.com/en-us/download/details.aspx?id=103855 | KB5008631 |
| Exchange 2019 CU10 | https://www.microsoft.com/en-us/download/details.aspx?id=103853 | KB5008631 |
| Exchange 2019 CU11 | https://www.microsoft.com/en-us/download/details.aspx?id=103854 | KB5008631 |
Jaap Wesselius 