[German]As expected, Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 on April 13, 2021 (Patchday). These are intended to close vulnerabilities found that were reported by security companies. Prompt installation is recommended – though feedback on bugs has yet to be received. Here is some information about these updates.
Advertising
I had issued a warning a couple of days ago within my blog post PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?. I had already given the hint that Exchange administrators should make sure that their managed systems are running on the new CUs, as I expect security updates on April 13, 2021. Exactly these security updates have now been released – the following image is from a reader.
The Microsoft Exchange team has provided an overview in the Techcommunity articleReleased: April 2021 Exchange Server Security Updates provided an overview of the situation. Vulnerabilities have been found in Exchange that have been reported by a security partner. Although Microsoft is not aware of any active exploits in the wild, the Exchange team recommends installing these updates immediately to protect the Exchange environment.
These vulnerabilities affect Microsoft Exchange Server on on-premises installations. Exchange Online customers are already protected because Microsoft has already installed these updates. Therefore, these customers do not need to take any action.
Security update KB5001779
For on-premises installations, Microsoft has deployed security update KB5001779 for the Exchange versions listed below.
Exchange Server 2010 is out of support and will not receive a security update. More recent Exchange Servers that do not have any of the builds listed above will also not receive a security update – I had pointed this out in my article linked above. The security updates address the following vulnerabilities:
Advertising
- CVE-2021-28480 | Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-28481 | Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-28482 | Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-28483 | Microsoft Exchange Server Remote Code Execution Vulnerability
These are remote code execution vulnerabilities that have received a high threat rating from Microsoft.
Errors and things to note when updating
The update is offered under Windows Update. However, it should not be installed via this route. Instead, it is recommended to download the security updates via the following links:
- Download Security Update For Exchange Server 2019 Cumulative Update 9 (KB5001779)
- Download Security Update For Exchange Server 2019 Cumulative Update 8 (KB5001779)
- Download Security Update For Exchange Server 2016 Cumulative Update 20 (KB5001779)
- Download Security Update For Exchange Server 2016 Cumulative Update 19 (KB5001779)
- Download Security Update For Exchange Server 2013 Cumulative Update 23 (KB5001779)
The update installation must then be started in an administrative prompt by specifying the full path and name of the .msp file. If this is forgotten by starting the installation by double-clicking as the default user, some files are not updated correctly. Then no error messages occur, but the security update is not installed correctly. However, Outlook on the Web (OWA) and Exchange Control Panel (ECP) may stop working. I had pointed out these problems in the blog posts Important notes from Microsoft regarding the Exchange server security update (March 2021) and Important notes from Microsoft regarding the Exchange server security update (March 2021).
First feedback from administrators is that this update has gone through on test servers and on production systems. However, I have received initial feedback in a Facebook administrator group with a note about errors:
Cumulative update 04/21 for Win Server 2019 aborts with error 0x80070541. Günter Born had already written something about this error on 18.3. Although for Windows 10, but continues with the server 2019 apparently. Have tested it on 2 systems.
The blog post mentioned is Windows 10: Update KB5001649 fails with install error 0x80070541 (March 18, 2021) – there a missing SSU KB5001649 was the cause for the installation error. So check if the current SSU for the Windows Server machine is installed.
Similar articles
PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Advertising
Wouldnt it be nice if Microsoft would STOP releasing the updates that cant be installed without Admin rights on Windows update and just provide a link to get the update? Does anyone think over there?