Exchange Server Security Update KB5001779 (April 13, 2021)

Windows Update[German]As expected, Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 on April 13, 2021 (Patchday). These are intended to close vulnerabilities found that were reported by security companies. Prompt installation is recommended – though feedback on bugs has yet to be received. Here is some information about these updates.


Advertising

I had issued a warning a couple of days ago within my blog post PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?. I had already given the hint that Exchange administrators should make sure that their managed systems are running on the new CUs, as I expect security updates on April 13, 2021. Exactly these security updates have now been released – the following image is from a reader.

Security Update KB5001779 for Exchange Server 2019 CU9

The Microsoft Exchange team has provided an overview in the Techcommunity articleReleased: April 2021 Exchange Server Security Updates provided an overview of the situation. Vulnerabilities have been found in Exchange that have been reported by a security partner. Although Microsoft is not aware of any active exploits in the wild, the Exchange team recommends installing these updates immediately to protect the Exchange environment.

These vulnerabilities affect Microsoft Exchange Server on on-premises installations. Exchange Online customers are already protected because Microsoft has already installed these updates. Therefore, these customers do not need to take any action.

Security update KB5001779

For on-premises installations, Microsoft has deployed security update KB5001779 for the Exchange versions listed below.

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU19 and CU20
  • Exchange Server 2019 CU8 and CU9

Exchange Server 2010 is out of support and will not receive a security update. More recent Exchange Servers that do not have any of the builds listed above will also not receive a security update – I had pointed this out in my article linked above. The security updates address the following vulnerabilities:


Advertising

These are remote code execution vulnerabilities that have received a high threat rating from Microsoft.

Errors and things to note when updating

The update is offered under Windows Update. However, it should not be installed via this route. Instead, it is recommended to download the security updates via the following links:

The update installation must then be started in an administrative prompt by specifying the full path and name of the .msp file. If this is forgotten by starting the installation by double-clicking as the default user, some files are not updated correctly. Then no error messages occur, but the security update is not installed correctly. However, Outlook on the Web (OWA) and Exchange Control Panel (ECP) may stop working. I had pointed out these problems in the blog posts Important notes from Microsoft regarding the Exchange server security update (March 2021) and Important notes from Microsoft regarding the Exchange server security update (March 2021).

First  feedback from administrators is that this update has gone through on test servers and on production systems. However, I have received initial feedback in a Facebook administrator group with a note about errors:

Cumulative update 04/21 for Win Server 2019 aborts with error 0x80070541. Günter Born had already written something about this error on 18.3. Although for Windows 10, but continues with the server 2019 apparently. Have tested it on 2 systems.

The blog post mentioned is Windows 10: Update KB5001649 fails with install error 0x80070541 (March 18, 2021) – there a missing SSU KB5001649 was the cause for the installation error. So check if the current SSU for the Windows Server machine is installed.

Similar articles
PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Important notes from Microsoft regarding the Exchange server security update (March 2021)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Software, Update and tagged , , , . Bookmark the permalink.

1 Response to Exchange Server Security Update KB5001779 (April 13, 2021)

  1. Evan says:

    Wouldnt it be nice if Microsoft would STOP releasing the updates that cant be installed without Admin rights on Windows update and just provide a link to get the update? Does anyone think over there?

Leave a Reply

Your email address will not be published. Required fields are marked *