Exchange security updates from July 2021 breaks ECP and OWA

Update[German]As of July 13, 2021, Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. These July updates are intended to address vulnerabilities reported by external security partners and found by Microsoft's internal processes on Exchange Server on-premises installations. However, on some systems, installing the security updates causes the Exchange Control Panel (OWA) and Outlook Web App (OWA) to stop working. Microsoft has since confirmed the issue (seems an OAuth certificate thing).


Advertising

Security updates for Exchange Server (July 2021)

I had reported on the released security updates for on-premises Server 2013, Exchange Server 2016 and Exchange Server 2019 in the blog post Security updates for Exchange Server (July 2021). The CVEs are also listed in this Zero Day Initiative blog post. However, more detailed explanations of each vulnerability can be found on this page.

Prompt installation of the security updates is recommended. If the security updates are installed manually, this process must be started from an administrative command prompt. Otherwise, problems will occur during the installation. I had also pointed out this issue in the article.

In the Microsoft Techcommunity post Released: July 2021 Exchange Server Security Update it is also pointed out that a schema is needed for all measures to take effect. Stefan A.There are some discussions about it onreddit.com. There are also some Known Issues listed in the post.

Issues with ECP and OWA after install

Shortly after the blog post was published, blog readers reported problems with the installation. German blog reader McClane wrote:

On my first Exchange (2019CU10), in the ECP folder the web.config was empty after the patch. I then dragged it over from the second server.

And blog reader Marcel noticed login issues after the update. Here is his comment on the German blog post:


Advertising

Have login problems after the update. After installing the Security Update For Exchange Server 2016 CU21 (KB5004779) on an Exchange Server in the DAG, I get the following error:
After successful login, I am immediately thrown back to the OWA login page.
If I deactivate the server on the LB, OWA works as usual!

Also in the Techcommunity post login problems are confirmed – GErman blog reader Marcel has laft his comment there in English. On reddit.com someone also points out problems and in this reddit.com thread there is also a discussion on the topic.

Exchange Juli 2021-Update-Probleme (ECP/OWA)
FB message about Exchange July 2021 update problems (ECP/OWA)

After a German blog reader on Facebook posted the above message about Exchange July 2021 update problems (ECP/OWA), I compiled some details into a separate blog post. Meanwhile, in the Techcommunity post Released: July 2021 Exchange Server Security Update is also a notice that there may be problems.

Expired certificates as cause

Microsoft published its own post Can't sign in to Outlook on the web or EAC if Exchange Server OAuth certificate is expired in May 2021, which addresses the sign-in issues. The error pattern:

When you try to log in to Outlook on the web or the EAC in Exchange Server, the web browser freezes or reports that the redirection limit has been reached. Additionally, event 1003 is logged in the Event Viewer.

There is a hint there to generate a new OAuth certificate. On reddit there is also this hint how to proceed. And at Microsoft's Q&A, the entries EX2019-CU10 OWA/ECP not working after July Security Update and EX2019-CU10 OWA/ECP not working after July Security Update from July 2021 can be found.

Important: It can take up to 2.5 hours after creating the new OAuth certificate until this takes effect. Just keep this in mind in case something does not happen immediately after the new creation.

Similar articles:
Cumulative Exchange CUs June 2021 released
Epsilon Red ransomware targets unpatched Exchange servers
Microsoft 365 bug: Mails from Exchange Online and Outlook send to the spam folder
Security Updates (KB5003435) for Microsoft Exchange Server (May 11, 2021)
Exchange 2016/2019: Outlook problems due to AMSI integration
Security updates for Exchange Server (July 2021)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in issue, Security, Software, Update and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.