[German]Microsoft has released the March 14, 2023 security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 (some as a re-release from Feb. 2023). These security updates close vulnerabilities in this software. The updates should be installed on systems in a timely manner to close the vulnerabilities.
Microsoft has published the Techcommunity postReleased: March 2023 Exchange Server Security Updates with a description of the security updates.
Security updates are available for the following Exchange Server CU versions.
- Exchange Server 2013 CU23 SU21 (KB5024296, support ends April 2023)
- Exchange Server 2016 CU23, SU 7 (KB5024296)
- Exchange Server 2019 CU11 SU11 (KB5024296) und CU12, SU7 (KB5024296)
Microsoft writes in the Techcommunity post that the security updatesfix vulnerabilities reported to Microsoft by security partners and found through Microsoft's internal processes. No details about the vulnerabilities were given – on de patch management list I read that CVE-2023-21707 was a re-release of the Feb. 2023 update. There is also a reference to the critical security update for Outlook (CVE-2023-23397):
There is a security update for Microsoft Outlook that is required to address CVE-2023-23397. To address this CVE, you must install the Outlook security update.
After installing the Outlook update, you can use a script we created to see if any of your users have been targeted using the Outlook vulnerability. The script will tell you if any users have been targeted by potentially malicious messages and allow you to modify or delete those messages if any are found. The script will take some time to run, so we recommend prioritizing user mailboxes that are of higher value to attackers (e.g., executives, senior leadership, admins, etc.).
Pay attention to Microsoft's notes about the update installation, the fixed bugs (e.g. of the Feb. 2023 update) and what else to pay attention to. Here is the list of fixed issues:
- EWS web application pool stops after the February 2023 Security Update is installed – if you have implemented the workaround in the KB article, you should remove the workaround once the March SU is installed (see the KB article for instructions). Running Health Checker will remind you of the need to remove the workaround.
- Exchange Toolbox and Queue Viewer fails after Certificate Signing of PowerShell Serialization Payloa… – this issue has been resolved for servers running the Mailbox role, but this still occurs on servers and workstations that have only the Management Tools role installed.
- This release unblocks customers who can't enable Extended Protection (EP) because they are using a Retention Policy with Retention Tags that perform Move-to-Archive actions. Note: if you worked around this problem using the updated Exchange Server Extended Protection script, you should roll back the applied IP restrictions after installing this SU by following the script documentation.
The Health Checker should be run after installation to see if further action is required.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities covered in these SUs and do not need to take any action other than updating all Exchange servers in their environment.
Microsoft Security Update Summary (March 14, 2023)
Patchday: Windows 10-Updates (March 14, 2023)
Patchday: Windows 11/Server 2022-Updates (March 14, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (March 14, 2023)
Patchday: Microsoft Office Updates (March 14, 2023)
Exchange Server Security Updates (March 14, 2023)
February 2023 Patchday: EWS problems after Exchange Server security update
Microsoft advises end of support for Exchange Server 2013 on April 11, 2023
Exchange 2019: Does the January 2023 SU with CU 12 trigger the index problem again?
Microsoft Exchange January 2023 patchday issues
Exchange Server: Microsoft recommends updating antivirus scan exclusions (Feb. 2023)
Cookies helps to fund this blog: Cookie settings