[German]Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019, effective August 9. These updates are required to address vulnerabilities reported by external security partners and found through Microsoft's internal processes. The updates apply to the Exchange Server on-premises installations listed below.
Advertising
The August 2022 Exchange Server security updates address vulnerabilities reported by security partners and found through Microsoft's internal processes. Microsoft has published the Techcommunity post Released: August 2022 Exchange Server Security Updates with a description of the security updates.
Security updates are available for the following Exchange Server CU versions.
The updates addresses the Microsoft Exchange Server Elevation of Privilege vulnerabilities CVE-2022-21980, CVE-2022-24477, and CVE-2022-24516. Here is the complete list of vulnerabilities:
- Microsoft Exchange Information Disclosure Vulnerability (CVE-2022-21979)
- Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-21980)
- Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-24516)
- Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-24477)
- Microsoft Exchange Information Disclosure Vulnerability (CVE-2022-30134)
- Microsoft Exchange Information Disclosure Vulnerability (CVE-2022-34692)
Microsoft recommends installing these updates immediately, although there are no known active exploits in the wild yet. It should be noted that Exchange servers are updated to the current CU before the August 2022 updates are installed (see the graphic above and the note from Microsoft). Microsoft's HealthChecker-PowerShell-Script script can be used for testing.
Advertising
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities covered in these SUs and do not need to take any action other than updating all Exchange servers in their environment.
Enable Windows Extended Protection
In an addendum, Microsoft notes that to fix some vulnerabilities closed in August 2022, administrators must enable Windows Extended protection on their Exchange servers (in IIS). Microsoft provides a script to enable this feature (the latest version can be found here). Before activating Extended Protection (EP) on production systems, you should check if the requirements are met. The activation of Extended Protection (EP) is only supported by certain Exchange versions. And there are many, many known issues.
Similar articles:
Security updates for Exchange Server (March 8, 2022)
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange Server Security Updates (May 10, 2022)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
ProxyLogon hack: Administrator's Repository for affected Exchange systems
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Security updates for Exchange Server (January 2022)
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Is Windows Update KB5015811 causing Exchange performance issues?
