[German]Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 as of July 13, 2021. These July updates are required to address vulnerabilities reported by external security partners and found through Microsoft's internal processes. The updates apply to the Exchange Server on-premises installations listed below.
Microsoft has published the Techcommunity post Released: July 2021 Exchange Server Security Update with a description of the security updates. Updates are available for the following Exchange Server versions.
These vulnerabilities affect on-premises Microsoft Exchange servers as well as servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action. Although Microsoft is not aware of any active exploits in the wild, it recommends installing these updates immediately to protect your Exchange installation. On this page, someone has compiled the six vulnerabilities addressed below, some of which are rated as high risk.
- CVE-2021-31196: Code injection, risk low, vulnerable: Microsoft Exchange Server 2013 Cumulative Update 23
- CVE-2021-34470: Permissions, Privileges, and Access Controls, risk low, vulnerable: Exchange Server: 2013 Cumulative Update 23, 2016 Cumulative Update 21, 2019 Cumulative Update 10
- CVE-2021-33768: Permissions, Privileges, and Access Controls, risk low, vulnerable: Microsoft Exchange Server: 2016 Cumulative Update 20, 2016 Cumulative Update 21, 2019 Cumulative Update 9, 2019 Cumulative Update 10
- CVE-2021-34473: Code injection, risk high, vulnerable: Microsoft Exchange Server: 2013 Cumulative Update 23
- CVE-2021-34523: Permissions, Privileges, and Access Controls, risk low, vulnerable: Microsoft Exchange Server: 2013 Cumulative Update 23
- CVE-2021-31206: Code injection, risk high, vulnerable: Microsoft Exchange Server: 2013 Cumulative Update 23
The CVEs are also listed in this blog post from the Zero Day Initiative. However, more detailed explanations of each vulnerability can be found on this page. If the security updates are installed manually, this process must be started from an administrative command prompt. Otherwise, problems will occur during the installation.
The tech community post lists actions that should be taken to improve security because of CVE-2021-34470 in addition to applying the July 2021 security updates. In addition, Microsoft has published a list of known issues related to these security updates.
The issues with third-party virus scanners mentioned in the blog post Exchange 2016/2019: Outlook problems due to AMSI integration are not addressed in the update, as Microsoft was not aware of these bugs according to the comments below the post. Whether the installation issues addressed within this German comment have been fixed for the latest CUs is beyond my knowledge.
Cumulative Exchange CUs June 2021 released
Epsilon Red ransomware targets unpatched Exchange servers
Microsoft 365 bug: Mails from Exchange Online and Outlook send to the spam folder
Security Updates (KB5003435) for Microsoft Exchange Server (May 11, 2021)
Exchange 2016/2019: Outlook problems due to AMSI integration
Cookies helps to fund this blog: Cookie settings