[German]Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 as of February 14, 2023. These security updates close four vulnerabilities (rated as important) in this software. The updates are intended to be installed on systems in a timely manner to close the vulnerabilities in question.
Microsoft has published the Techcommunity post Released: February 2023 Exchange Server Security Updates with a description of the security updates.
Security updates are available for the following Exchange Server CU versions.
- Exchange Server 2013 CU23, SU20 (KB5023038, support ends in April 2023)
- Exchange Server 2016 CU23, SU 6 (KB5023038)
- Exchange Server 2019 CU11 SU10 (KB5023038) and CU12, SU6 (KB5023038)
Microsoft writes in the Techcommunity post that the February 2023 security updates address vulnerabilities reported to Microsoft by security partners and found through Microsoft's internal processes. The following vulnerabilities have been closed.
- CVE-2023-21707: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2023-21706: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2023-21710: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2023-21529: Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft writes that while there are no known active exploits in the wild, they recommend installing these updates immediately to protect Exchange installations.
Pay attention to Microsoft's notes about the update installation, the fixed bugs and what else to pay attention to. The Health Checker should be run after installation to see if any further action is required.
The patches cause a bug: Exchange Toolbox and Queue Viewer fail after certificate signing of the PowerShell serialization payload.
Addendum: Initially, the January 2023 update for Exchange Server 2016 CU 23 was delivered – but the bug has been fixed (see Microsoft's February 2023 Patchday: Incorrect updates in WSUS, Exchange and Windows). In addition, some installations experience EWS problems (see February 2023 Patchday: EWS problems after Exchange Server security update) – a workaround is known.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating all Exchange servers in their environment.
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Microsoft Exchange January 2023 patchday issues
Exchange Server Security Updates (February 14, 2023)
Microsoft's February 2023 Patchday: Incorrect updates in WSUS, Exchange and Windows
February 2023 Patchday: EWS problems after Exchange Server security update
Cookies helps to fund this blog: Cookie settings