[German]As of January 10, 2023 (Patchday), Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. These security updates close two vulnerabilities (Elevation of Privilege and Spoofing) in this software, but have known bugs and cause new issues during installation.
Exchange January 2023 security updates
Microsoft has released the following security updates for Exchange Server 2013, 2016 and 2019 for January 2023 (see also Exchange Server Security Updates (January 10, 2023)):
- Exchange Server 2013 CU23, KB5022188
- Exchange Server 2016 CU23, KB5022143
- Exchange Server 2019 CU11, CU12, KB5022193
to close vulnerabilities CVE-2023-21763, CVE-2023-2176, CVE-2023-21745 and CVE-2023-21762. he updates should be installed on systems in a timely manner to close the vulnerabilities in question.
Microsoft Exchange 2013 is only affected by the CVE-2023-21762 (Microsoft Exchange Server Spoofing) vulnerability. Nino Bilic from Microsoft states here that the code base is different than for Server 2016/2019, which is affected by additional vulnerabilities.
For Exchange Sever 2013 and 2016, only the current CU23 is offered (and no longer the penultimate one). Microsoft justifies this with the fact that the penultimate CUs are one year old and therefore no longer apply. In addition, the updates are cumulative and the latest CU23 can be installed on Exchange servers with older patch statuses regarding the CUs (see FAQ for Patchday).
The January 2023 security updates seem to cause some issues during or after installation, which I briefly summarize below.
Website previews in OWA incorrect
Web page previews for URLs shared in OWA are no longer rendering correctly after installing the security updates on Microsoft Exchange Server 2016 or Microsoft Exchange Server 2019. This is a known issue that was documented when the CUs were released. Microsoft plans to fix this with a future update.
ECP HTTP error 500; services down
Within my German blog, a user reports in this comment that he gets HTTP error 500 when trying to log in to the Exchange Control Panel (ECP, Microsoft Exchange Control Panel). The reason is that Exchange services do not start automatically, which probably also occurs when restarting. Remedy is to restart all services manually, then the ECP login should work again.
With Exchange 2016 CU23 under Windows Server 2012 R2 there is the problem that the service Microsoft Exchange Active Directory Topology (MSExchangeADTopology) does not work automatically anymore. This causes other services to hang – which is probably also the cause of the ECP HTTP error 500 above. Microsoft has meanwhile confirmed this problem and writes:
If Exchange Server 2016 is installed on Windows Server 2012 R2, after installation of the January 2023 SU, the AD Topology service might not start automatically, causing services that depend on it to not start automatically either. To work around this problem, start Exchange services manually. We are investigating this further.
Again, the workaround is to manually restart the Exchange services. Then everything should work again. Microsoft is investigating the problem.
Health Checker script shows wrong results
After installing the security update Microsoft recommends to run the Exchange Server Health Checker script. Directly after the release of the updates, the script reported that the Exchange Server was vulnerable to various vulnerabilities despite the installed update (see the comment by nak_87). In the meantime, Microsoft has provided an updated Health Checker script, which should show correct results.
Queue Viewer does not start
In addition, the comments here suggest that the Exchange Toolbox Queue Viewer does not start when Certificate Signing is enabled for the PowerShell Serialization Payload.
after enabling Certificate Signing of PowerShell Serialization Payload the Exchange Toolbox with Queue Viewer won't start.
The Health Checker Script shows "SerializedDataSigning Enabled" only on Exchange 2016 but not on Exchange 2019.
I am aware of two cases from comments at Microsoft, but the discussion is still ongoing. Actually, the bug that occurs in Microsoft Exchange Server 2016 on Windows Server 2012 R2 should be fixed with the January 2023 update. The bug is known from the November 2022 Security Update (SU).
Exchange Server Sicherheitsupdates (11. Oktober 2022)
Exchange Server security updates (November 8, 2022)
Exchange Server Security Updates (January 10, 2023)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Cookies helps to fund this blog: Cookie settings