[German]Microsoft has released the security updates for Exchange Server 2016 and Exchange Server 2019 as of June 13, 2023. These security updates close vulnerabilities in this software. The updates are intended to be installed on systems in a timely manner to address the vulnerabilities in question.
Advertising
I came across the following tweet on Twitter from Scott Schnoll, senior product marketing manager for Exchange Online, Exchange Server, and Microsoft 365 Networking.
Microsoft has published the Techcommunity artice Released: June 2023 Exchange Server Security Updates with a description of the security updates. Security updates are available for the following Exchange Server CU versions.
- Exchange Server 2016 CU23 SU 8 (KB5025903)
- Exchange Server 2019 CU12 SU8 (KB5026261) und CU13, SU1 (KB5026261)
SUs are available as self-extracting .exe packages as well as original update packages (.msp files), and can be downloaded from the Microsoft Update Catalog.
Microsoft writes in the Techcommunity post that the security updates address vulnerabilities reported to Microsoft by security partners and found through Microsoft's internal processes. No details about the vulnerabilities were provided. In the blog post Microsoft Security Update Summary (June 13, 2023) I had stated the following
Advertising
Im Beitrag Microsoft Security Update Summary (June 13, 2023) hatte ich diesbezüglich folgendes angegeben.
CVE-2023-28310 und CVE-2023-3203: Microsoft Exchange Server Remote Code Execution Vulnerability; CVEv3 Score 8.0 und 8.1 , important; CVE-2023-28310 kann von einem authentifizierten Angreifer im lokalen Netzwerk ausgenutzt werden, um über eine Remote-PowerShell-Sitzung Befehle auf dem Ziel auszuführen. CVE-2023-32031 ermöglicht es einem entfernten, authentifizierten Angreifer, über Netzwerkaufrufe Serverkonten anzugreifen, um die Ausführung von beliebigem Code auszulösen. Sowohl CVE-2023-32031 als auch CVE-2023-28310 wurden mit "Exploitation More Likely" eingestuft und betreffen Microsoft Exchange Server 2016 Cumulative Update 23 und 2019 Cumulative Updates 12 und 13.
Although Microsoft is not aware of any active exploits in the wild, it is recommended to install these updates immediately for protection.
Note Microsoft's notes on update installation, and what else to check out. Here is the list of fixed issues:
- "Object '<ServerName>' couldn't be found on '<DomainControllerName>'" error when trying to uninstall…
- Changing the permissions for Public Folders by using an Outlook client will fail with the following …
There are no known issues associated with the security updates. According to Microsoft, the Health Checker should be run after installation to see if any further action is required. Also note the support post Exchange won't uninstall after the January Security Update (KB5022143) is applied, which was freshly published because the June 2023 update fixes this issue.
These security vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating all Exchange servers in their environment.
Similar articles:
Microsoft Security Update Summary (June 13, 2023)
Patchday: Windows 10-Updates (June 13, 2023)
Patchday: Windows 11/Server 2022-Updates (June 13, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (June 13, 2023)
Microsoft Office Updates (June 6, 2023)
Microsoft Office Updates (June 13, 2023)
Exchange Server Security Updates (June 13, 2023)
Exchange Server 2019: 2023 H1 Cumulative Update released (May 3, 2023)
Exchange Server Security Updates (March 14, 2023)
February 2023 Patchday: EWS problems after Exchange Server security update
Microsoft advises end of support for Exchange Server 2013 on April 11, 2023
Exchange 2019: Does the January 2023 SU with CU 12 trigger the index problem again?
Microsoft Exchange January 2023 patchday issues
Exchange Server: Microsoft recommends updating antivirus scan exclusions (Feb. 2023)
Advertising
