Tag Archives: Security Update

Exchange

Hotfix Update for Exchange 2016 and Exchange 2019

Leave a comment

Wait, what? On April 23, 2024 Microsoft has released a hotfix update for Exchange 2016 and Exchange 2019 and as MVP’s we only learned about this last week.

A hotfix update or HU contains fixes for issues that might arise with a security update in Exchange server. For example, the March 2024 SU for Exchange server introduced a number of issues, and these are fixed with this HU. Besided hotfixes, a HU can also contain new features that did not make it in the last security update (SU) or Cumulative Update (CU). In this HU for example, Hybrid Modern Authentication for OWA and ECP is introduced as a new feature. Another new feature introduced in this HU is the support for ECC (Elliptic Curve Cryptography) certificates. ECC certificates however are not supported for the federation trust certificate, the Exchange server OAuth certificate and ECC certificates cannot be used when ADFS claims-based authentication is used.

The following issues are fixed in this HU:

  • “We can’t open this document” error in OWA after installing March 2024 SU
  • Search error in Outlook cached mode after installing March 2024 SU
  • OwaDeepTestProbe and EacBackEndLogonProbe fail after installing March 2024 SU
  • Edit permissions option in the ECP can’t be edited
  • Outlook doesn’t display unread message icon after installing Exchange Server March 2024 SU
  • My Templates add-in doesn’t work after installing Exchange Server March 2024 SU
  • Download domains not working after installing the March 2024 SU

You can download this hotfix update for Exchange server here:

Exchange 2019 CU14 HU2 – https://www.microsoft.com/en-us/download/details.aspx?id=106021
Exchange 2019 CU13 HU6 – https://www.microsoft.com/en-us/download/details.aspx?id=106022
Exchange 2016 CU23 HU13 – https://www.microsoft.com/en-us/download/details.aspx?id=106023

Be aware that the filename for all versions of this HU is the same (Exchange2019-KB5037224-x64-en.exe) so when downloading multiple versions make sure you store them at different locations.

A hotfix update is cumulative and includes all security features and fixes from the previous security updates. When running Exchange 2019 CU14 and you have not installed the March 2024 security update then there’s no need to install this first. Just continue with the immediate installation of this HU.

More information

Exchange

Exchange Security Updates June 2023

Leave a comment

On June 13, 2023 Microsoft has released Security Updates for:

  • Exchange 2019 CU13
  • Exchange 2019 CU12
  • Exchange 2016 CU23

There are no Security Updates released for older versions of Exchange 2016 and Exchange 2019, these are the only supported versions. There are also no Security Updates for Exchange 2013 since this is completely out-of-support. If you are still running on Exchange 2013 you must seriously consider upgrading to Exchange 2019 or Exchange Online.

The following vulnerabilities are addressed with these Security Updates:

VulnerabilityImpactSeverity
CVE-2023-28310Remote Code ExecutionImportant
CVE-2023-32031Remote Code ExecutionImportant

More information regarding CVE’s can be found in the Security Update Guide.

The Security Update downloads en knowledgebase articles can be found here:

Exchange versionDownloadKB article
Exchange 2019 CU13https://www.microsoft.com/en-us/download/details.aspx?id=105280KB5026261
Exchange 2019 CU12https://www.microsoft.com/en-us/download/details.aspx?id=105281KB5026261
Exchange 2016 CU23https://www.microsoft.com/en-us/download/details.aspx?id=105282KB5025903

Some remarks about these Security Updates:

  • When possible, try to run the latest Cumulative Update for Exchange 2016 or Exchange 2019.
  • Exchange Security Updates are cumulative, so a Security Update contains all fixes that were released in earlier Security Updates (for a specific Exchange Cumulative Update).
  • Exchange Security Updates are specific for an Exchange Cumulative Update, so you cannot install an Exchange Security Update for Exchange 2019 CU13 on an Exchange 2019 CU12 server.
  • Security Updates must be installed on hybrid servers as well, even if there are no mailboxes anymore on these hybrid servers.
  • If you have a management server with only the Exchange server management tools installed, you must install Security Updates as well.
  • Of course, test Security Updates in a test environment first.
  • Use the Microsoft Exchange Healthchecker script (https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/) to check the status of your Exchange server and if additional actions are needed.
Exchange

Exchange Security Updates August 2022

2 Comments

On August 9, 2022 Microsoft has released important Security Updates for Exchange 2013, Exchange 2016 and Exchange 2019 that are rated ‘critical’ (Elevation of Privileges) and ‘important’ (Information Disclosure).

This security update rollup resolves vulnerabilities found in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):

  • CVE-2022-21979 – Microsoft Exchange Information Disclosure Vulnerability
  • CVE-2022-21980 – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-24516 – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-30134 – Microsoft Exchange Server Elevation of Privilege Vulnerability

This Security Update introduces support for Extended Protection. Extended protection enhances authentication to mitigate ‘man in the middle’ attacks. Extended protection is supported on the latest version of Exchange 2016 and Exchange 2019 (2022H1) and the August 2022 Security Update (this one) so it is vital to bring your Exchange servers up-to-date. 

Be aware of the following limitations:

  • Extended protection is only supported on the current and previous versions of Exchange (i.e. Exchange 2016 CU21/CU21 and Exchange 2019 CU12/CU11) and Exchange 2013 CU23 with the August 2022 SU installed
  • Extended protection is not supported on hybrid servers with the hybrid agent.
  • Extended protection is not supported with SSL Offloading. SSL Re-encrypt (also knows as SSL Bridging) is supported, as long as the SSL certificate on the load balancer is identical to the SSL certificate on the Exchange servers.
  • If you still have Exchange 2013 in your environment and you are using Public Folders, make sure your Public Folders are hosted on Exchange 2016 or Exchange 2019.

Note. Make sure you have your Exchange server properly configured with all related security settings. Use the latest HealthChecker.ps1 script to find any anomalies in your Exchange configuration. If you fail to do so, the script to enable Extended Protection will fail with numerous error messages.

Enable Extended Protection

First off, make sure you have the latest Cumulative Update installed on all your Exchange servers and install the August 2022 Security Updates on all your servers, including the Exchange 2013 servers.

Another important thing is that you must make sure that TLS settings across all Exchange servers are identical. You can use the healthchecker.ps1 script to figure out if this is the case. Personally, it took me quite some time to get this right.

The easiest way to configure Extended Protection is by using the ExchangeExtendedProtectionManagement.ps1 script (which can be found on github). This script can enable Extended Protection on all Exchange servers in your organization, but by using the -SkipExchangeServerNames option you can exclude certain Exchange servers (for example, Exchange 2013 servers or servers running the hybrid agent). There’s also the -ExchangeServerNames option which lets you specify which servers to enable the Extended Protection on.

More information and downloads can be found here:

Exchange versionDownloadKB article
Exchange 2013 CU23https://www.microsoft.com/en-us/download/details.aspx?id=104482KB5015321
Exchange 2016 CU22https://www.microsoft.com/en-us/download/details.aspx?id=104481KB5015322
Exchange 2016 2022H1https://www.microsoft.com/en-us/download/details.aspx?id=104480KB5015322
Exchange 2019 CU11https://www.microsoft.com/en-us/download/details.aspx?id=104479KB5015322
Exchange 2019 2022H1https://www.microsoft.com/en-us/download/details.aspx?id=104478KB5015322
Exchange Protection Scripthttps://aka.ms/ExchangeEPScript
Healthchecker scriptshttps://aka.ms/ExchangeHealthChecker

Some important notes:

  • As always, make sure you thoroughly test this in your lab environment, especially enabling Extended protection.
  • You can start the SU from a command prompt or from Windows Explorer, no need anymore to start from a command prompt with elevated privileges.
  • This SU contains all security updates from previous SUs for this particular Exchange version.

Exchange

January 2022 Exchange Security Updates

Leave a comment

On january 11, 2022 Microsoft released new Security Updates for Exchange versions:

  • Exchange 2013 CU23
  • Exchange 2016 CU21, Exchange 2016 CU22
  • Exchange 2019 CU10, Exchange 2019 CU11

The following vulnerabilities have been addressed in these Security Updates:

No exploits have been found in the wild, but it is recommended to install these Security Updates as soon as possible.

These updates are targeted toward Exchange server on-premises, including Exchange servers used in a hybrid configuration.

Please note the following:

  • Run the Exchange Server Healthcheck script on your Exchange server to get an overview of all issues in your environment, including installed Security Updates and Cumulative Updates versions.
  • If running an old (and unsupported!) version of Exchange server, please update to the latest CU to get in a supported state and install these Security Updates.
  • When installing manually, start the update from a command prompt with elevated privileges. If you fail to do so, it will look like installation successfully finishes, but various issues will occur. This is not needed when installing using Windows Update or WSUS.
  • Security Updates are also cumulative, so this Security Updates contains all previous Security Updates for this specific Cumulative Update. There’s no need to install previous Security Updates before installing this Security Update.
  • The December 2021 Cumulative Update is postponed, check the link on the Microsoft site. Microsoft does not release Security Updates and Security Updates in the same month, so do not except a new Cumulative Update anytime soon.
  • This Security Update does not contain a fix for the Y2K22 problem that popped up on January 1, see the Email stuck in Exchange on-premises Transport Queues article which also contains the solution.
  • As always, download and deploy in your test environment to see if it all works well in your environment.
Exchange versionDownloadKnowledge base
Exchange 2013 CU23https://www.microsoft.com/en-us/download/details.aspx?id=103857KB5008631
Exchange 2016 CU21https://www.microsoft.com/en-us/download/details.aspx?id=103856KB5008631
Exchange 2016 CU22https://www.microsoft.com/en-us/download/details.aspx?id=103855KB5008631
Exchange 2019 CU10https://www.microsoft.com/en-us/download/details.aspx?id=103853KB5008631
Exchange 2019 CU11https://www.microsoft.com/en-us/download/details.aspx?id=103854KB5008631
Exchange

Exchange security updates November 2021

Leave a comment

I have been away for a couple of days, but you already might have seen that Microsoft released a number of Security Updates for Exchange 2019, Exchange 2016 and Exchange 2013, but only for the last two Cumulative Updates (as always).

Security Updates are available for the following products:

Exchange versionDownloadKnowledge Base
Exchange 2019 CU11https://www.microsoft.com/en-us/download/details.aspx?id=103643KB5007409
Exchange 2019 CU10https://www.microsoft.com/en-us/download/details.aspx?id=103642KB5007409
Exchange 2016 CU22https://www.microsoft.com/en-us/download/details.aspx?id=103644KB5007409
Exchange 2016 CU21https://www.microsoft.com/en-us/download/details.aspx?id=103645KB5007409
Exchange 2013 CU23https://www.microsoft.com/en-us/download/details.aspx?id=103646KB5007409

The following vulnerabilities are addressed in these updates:

Security Updates are CU specific and can only be applied to the specific Cumulative Update. When trying to install a Security Update for another CU, an error message will be returned.

Security Updates are also cumulative, so this Security Update contains all previous security updates for this specific CU. There’s no need to install previous Security Updates before this Security Update.

As always, after downloading a Security Update, start the Security Update from a command prompt with elevated privileges (‘Run as Administrator’) to prevent an erratic installation. This does not apply when installing a Security Update via Windows Update or WSUS.