{"id":33486,"date":"2024-03-13T15:41:20","date_gmt":"2024-03-13T14:41:20","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=33486"},"modified":"2024-03-13T15:42:25","modified_gmt":"2024-03-13T14:42:25","slug":"exchange-server-security-updates-march-12-2024","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/03\/13\/exchange-server-security-updates-march-12-2024\/","title":{"rendered":"Exchange Server security updates (March 12, 2024)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px 10px 0px 0px;\" title=\"Exchange Logo\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2022\/06\/Exchange.jpg\" alt=\"Exchange Logo\" width=\"152\" height=\"133\" align=\"left\" border=\"0\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2024\/03\/13\/exchange-server-sicherheits-updates-12-mrz-2024\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Microsoft has released security updates for Exchange Server 2016 and 2019 on March 12, 2024. These updates fix security vulnerabilities reported to Microsoft by security partners and found by Microsoft's internal processes. According to Microsoft, the updates should be installed promptly.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg06.met.vgwort.de\/na\/205a1b470c324fbf8f048670b12d0336\" alt=\"\" width=\"1\" height=\"1\" \/>I came across the following <a href=\"https:\/\/twitter.com\/MSFTExchange\/status\/1767712392778076624\" target=\"_blank\" rel=\"noopener\">tweet<\/a> from the Exchange team about the security updates for Exchange Server 2016 and Exchange Server 2019.<\/p>\n<p><a href=\"https:\/\/twitter.com\/MSFTExchange\/status\/1767712392778076624\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Exchange Server security update March 2024\" src=\"https:\/\/i.postimg.cc\/m2VY4f72\/image.png\" alt=\"Exchange Server security update March 2024\" \/><\/a><\/p>\n<p>Microsoft has published the Techcommunity article <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-march-2024-exchange-server-security-updates\/ba-p\/4075348\" target=\"_blank\" rel=\"noopener\">Released: March 2024 Exchange Server Security Updates<\/a> with a description of the security updates. Security updates are available for the following Exchange Server CU versions.<\/p>\n<ul>\n<li>Exchange Server 2016 <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=105922\" target=\"_blank\" rel=\"noopener\">CU23 SU12 (KB5036386)<\/a><\/li>\n<li>Exchange Server 2019 <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=105921\" target=\"_blank\" rel=\"noopener\">CU13 SU5 (KB5036402)<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=105920\" target=\"_blank\" rel=\"noopener\">CU14 SU1 (KB5036401)<\/a><\/li>\n<\/ul>\n<p>SUs are <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/new-exchange-server-security-update-and-hotfix-packaging\/ba-p\/3301819\" target=\"_blank\" rel=\"noopener\">available<\/a> as self-extracting .exe packages and as original update packages (.msp files), and can be downloaded from the <a href=\"https:\/\/www.catalog.update.microsoft.com\/Home.aspx\" target=\"_blank\" rel=\"noopener\">Microsoft Update Catalog<\/a>.<\/p>\n<p>Microsoft writes in the Techcommunity post that the security updates fix vulnerabilities reported to Microsoft by security partners and found by Microsoft's internal processes. These vulnerabilities affect on-premises Exchange Server. Exchange Online customers are already protected from the vulnerabilities.<\/p>\n<h2>Security Advisory ADV24199947<\/h2>\n<p>Microsoft would like to point out that Exchange Server will no longer use Oracle Outside In Technology (also known as OutsideInModule or OIT) after this security update has been installed. OIT performs text extraction operations when processing email messages with attachments in Exchange Transport Rule (ETR) and Data Loss Prevention (DLP) scenarios. Details can be found at <a href=\"https:\/\/support.microsoft.com\/topic\/5037191\" target=\"_blank\" rel=\"noopener\">The OutsideInModule module is disabled after installing the March 2024 SU<\/a>.<\/p>\n<h2>Problems with the updates<\/h2>\n<p>I got<a href=\"https:\/\/www.borncity.com\/blog\/2024\/03\/12\/microsoft-security-update-summary-12-mrz-2024\/#comment-176258\" target=\"_blank\" rel=\"noopener\"> this comment thread<\/a> in my German blog, that deals with the Oracle topic and the broken OWA mentioned below. In the user comments on the Techcommunity post <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-march-2024-exchange-server-security-updates\/ba-p\/4075348\" target=\"_blank\" rel=\"noopener\">Released: March 2024 Exchange Server Security Updates<\/a> there is a <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-march-2024-exchange-server-security-updates\/bc-p\/4083141\/highlight\/true#M38170\" target=\"_blank\" rel=\"noopener\">user post<\/a> reporting OWA issues.<\/p>\n<blockquote><p>&#8211;&gt; installing the March 2024 SU will address a RCE vis a CVSS score of 8.8 [CVE-2024-26198], but will break attachment functionality for OWA clients on environments with Download Domains configured&#8230;..and the hope is some future fix (at date TBD) will restore the attachment functionality for OWA clients?<br \/>\n<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-26198\" target=\"_blank\" rel=\"noopener\">https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-26198<\/a><br \/>\n&#8211;&gt; disabling Download Domains allows OWA attachments to still work correctly even with March 2024 SU installed, but leaves the systems exposed to an older, but different RCE with a CVSS score of 5.4 [CVE-2021-1730]<br \/>\n<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-1730\" target=\"_blank\" rel=\"noopener\">https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-1730<\/a><br \/>\nto me it seems like if full OWA functionality is important to an environment, the compromise is to install the March 2024 SU (fixing the higher scored CVE), but disable Download Domains until there is a later fix to restore functionality. that obviously opens the door to the apparently lower scored [CVE-2021-1730] but i can't see that its practical for OWA users to not have access to attachments.<\/p><\/blockquote>\n<p>Microsoft is working on a fix for this problem and there is the <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/owadeeptestprobe-und-eacbackendlogonprobe-schlagen-nach-der-installation-von-m%C3%A4rz-2024-su-fehl-653abc81-a6ac-426e-8e6f-75d339989766\" target=\"_blank\" rel=\"noopener\">support article here<\/a> &#8211; in <a href=\"https:\/\/www.borncity.com\/blog\/2024\/03\/12\/microsoft-security-update-summary-12-mrz-2024\/#comment-176274\" target=\"_blank\" rel=\"noopener\">this German comment<\/a> in my German blog, a reader lists further points that he has come across.<\/p>\n<p><strong>Similar articles:<\/strong><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2024\/03\/12\/microsoft-security-update-summary-march-12-2024\/\">Microsoft Security Update Summary (March 12, 2024)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2024\/03\/13\/patchday-windows-10-updates-march-12-2024\/\">Patchday: Windows 10-Updates (March 12, 2024)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2024\/03\/13\/patchday-windows-11-server-2022-updates-march-12-2024\/\">Patchday: Windows 11\/Server 2022-Updates (March 12, 2024)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2024\/03\/13\/windows-10-server-2019-update-kb5035849-fails-with-error-0xd0000034\/\" rel=\"bookmark\">Windows 10\/Server 2019: Update KB5035849 fails with error 0xd0000034<\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft has released security updates for Exchange Server 2016 and 2019 on March 12, 2024. These updates fix security vulnerabilities reported to Microsoft by security partners and found by Microsoft's internal processes. According to Microsoft, the updates should be installed &hellip; <a href=\"https:\/\/borncity.com\/win\/2024\/03\/13\/exchange-server-security-updates-march-12-2024\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,22],"tags":[1692,2850,69,195],"class_list":["post-33486","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-update","tag-exchange-server","tag-patchday-3-2024","tag-security","tag-update"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=33486"}],"version-history":[{"count":2,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33486\/revisions"}],"predecessor-version":[{"id":33488,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33486\/revisions\/33488"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=33486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=33486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=33486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}