Exchange Server Security Updates (May 10, 2022)

Update[German]Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 as of May 10, 2022. These updates are required to address vulnerabilities reported by external security partners and found through Microsoft's internal processes. The updates apply to the Exchange Server on-premises installations listed below.


Advertising

The May 2022 Exchange Server security updates address vulnerabilities reported by security partners and found through Microsoft's internal processes. Microsoft has published the Techcommunity post Released: May 2022 Exchange Server Security Updates with a description of the security updates.

Exchange Server (May 2022) Security Updates

And on Twitter I came across the above notice. There are security updates available for the following Exchange Server CU versions.

The updates for May 2022 closes the following vulnerability rated as Important and with a CVSSv3 score of 8.2.

CVE-2022-21978 | Microsoft Exchange Server Elevation of Privilege VulnerabilityThe vulnerability allows privilege elevation, with exploitation rated as Exploitation Less Likely. An attacker must already be authenticated to a vulnerable Exchange Server "as a member of a highly privileged group" to exploit this vulnerability, but could use it to elevate themselves to domain administrator.

While these requirements outlined above make it less likely that attackers will exploit this vulnerability, vulnerabilities in Exchange Servers are a favorite target for attackers. Vulnerabilities that can give attackers domain administrator privileges are particularly valuable, Tenable writes in this post.


Advertising

If the security updates are installed manually, this process must be started from an administrative command prompt. Otherwise, problems will occur during the installation.

Note that manual execution of /PrepareAllDomains (after installation) is required.  Microsoft describes in the Techcommunity post Released: May 2022 Exchange Server Security Updates actions that should be taken in addition to applying the May 2022 security updates due to additional security measures for CVE-2022-21978.

The fixes rolled out with these updates (e.g., that the Exchange Service Host Service dies after installing the March 2022 update KB5013118)can be found in the Techcommunity post Released: May 2022 Exchange Server Security Updates.

Now also .exe packages

Starting with this version of the security updates, the updates are released in a self-extracting, auto-uploading .exe package (in addition to the existing Windows Installer patch format). More information can be found in this article. The original update packages can be downloaded from the Microsoft Update Catalog.

Similar articles:
Security updates for Exchange Server (March 8, 2022)
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
ProxyLogon hack: Administrator's Repository for affected Exchange systems
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Security updates for Exchange Server (January 2022)
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Issues with Exchange March 2022 Updates
Exchange Server CUs (April 20, 2022)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Software, Update and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.