[German]Microsoft has released security updates for Exchange Server 2016 and 2019 on March 12, 2024. These updates fix security vulnerabilities reported to Microsoft by security partners and found by Microsoft's internal processes. According to Microsoft, the updates should be installed promptly.
Advertising
I came across the following tweet from the Exchange team about the security updates for Exchange Server 2016 and Exchange Server 2019.
Microsoft has published the Techcommunity article Released: March 2024 Exchange Server Security Updates with a description of the security updates. Security updates are available for the following Exchange Server CU versions.
- Exchange Server 2016 CU23 SU12 (KB5036386)
- Exchange Server 2019 CU13 SU5 (KB5036402) and CU14 SU1 (KB5036401)
SUs are available as self-extracting .exe packages and as original update packages (.msp files), and can be downloaded from the Microsoft Update Catalog.
Microsoft writes in the Techcommunity post that the security updates fix vulnerabilities reported to Microsoft by security partners and found by Microsoft's internal processes. These vulnerabilities affect on-premises Exchange Server. Exchange Online customers are already protected from the vulnerabilities.
Advertising
Security Advisory ADV24199947
Microsoft would like to point out that Exchange Server will no longer use Oracle Outside In Technology (also known as OutsideInModule or OIT) after this security update has been installed. OIT performs text extraction operations when processing email messages with attachments in Exchange Transport Rule (ETR) and Data Loss Prevention (DLP) scenarios. Details can be found at The OutsideInModule module is disabled after installing the March 2024 SU.
Problems with the updates
I got this comment thread in my German blog, that deals with the Oracle topic and the broken OWA mentioned below. In the user comments on the Techcommunity post Released: March 2024 Exchange Server Security Updates there is a user post reporting OWA issues.
–> installing the March 2024 SU will address a RCE vis a CVSS score of 8.8 [CVE-2024-26198], but will break attachment functionality for OWA clients on environments with Download Domains configured…..and the hope is some future fix (at date TBD) will restore the attachment functionality for OWA clients?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26198
–> disabling Download Domains allows OWA attachments to still work correctly even with March 2024 SU installed, but leaves the systems exposed to an older, but different RCE with a CVSS score of 5.4 [CVE-2021-1730]
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730
to me it seems like if full OWA functionality is important to an environment, the compromise is to install the March 2024 SU (fixing the higher scored CVE), but disable Download Domains until there is a later fix to restore functionality. that obviously opens the door to the apparently lower scored [CVE-2021-1730] but i can't see that its practical for OWA users to not have access to attachments.
Microsoft is working on a fix for this problem and there is the support article here – in this German comment in my German blog, a reader lists further points that he has come across.
Similar articles:
Microsoft Security Update Summary (March 12, 2024)
Patchday: Windows 10-Updates (March 12, 2024)
Patchday: Windows 11/Server 2022-Updates (March 12, 2024)
Windows 10/Server 2019: Update KB5035849 fails with error 0xd0000034
