Microsoft released several Security Updates (SUs) for Microsoft Exchange Server to address vulnerabilities. Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect the environment.
Exchange Server Security Updates
Microsoft has released Security Updates for vulnerabilities found in:
- Exchange Server 2016
- Exchange Server 2019
These Security Updates are available for the following specific versions of Exchange:
If you are not at these Exchange Server CU versions, please update right now and apply the above patch.
The August 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
Steps needed to address CVE-2023-21709
To address CVE-2023-21709, administrators must perform additional actions and can run the CVE-2023-21709.ps1 script that we have released. The script and its documentation can be found here. We have validated the script and CVE resolution on supported versions of Exchange Server only. We recommend updating to August SU first and then running the script.
Support for change of default encryption algorithm in Microsoft Purview Information Protection
This section applies only to our customers who use Exchange Server and either Azure or AD Rights Management Service (RMS). If you do not know what that is, Exchange Online CBC encryption changes should not apply to you:
As announced in the Encryption algorithm changes in Microsoft Purview Information Protection blog post, Exchange Server August 2023 SUs contain updates that enable customers who use Exchange Server on-premises to continue decrypting content protected by Purview sensitivity labels or Active Directory Rights Management Services. Please review that blog post for details and timelines and read AES256-CBC support for Microsoft 365 documentation.
If your organization is impacted by this change, after installing the August SU on your Exchange servers, see this KB article. Please note – this step is not needed unless your on-premises servers require support for AES256-CBC.
The following update paths are available:
- Install the latest CU. Use the Exchange Update Wizard to choose your current CU and your target CU to get directions.
- Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions).
- Re-run the Health Checker after you install an SU to see if any further actions are needed.
- If you encounter errors during or after installation of Exchange Server, run the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.
Known issues with this release
- Customers impacted by the upcoming Microsoft 365 AES256-CBC encryption change need to perform a manual action to enable new encryption algorithm after August 2023 SU is installed. Please see this KB article. We will remove the requirement for manual action in a future update.
Issues resolved in this release
Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.
The last SU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this blog post for more information.
Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers.
We still use Exchange Server 2013 on-premises to host mailboxes. Can we have an update for Exchange Server 2013 to support the new Microsoft 365 AES256-CBC encryption standard?
Exchange Server 2013 is out of support and will not receive any further security updates. We do not perform any vulnerability testing against this version of Exchange anymore. Exchange Server 2013 is likely vulnerable to any vulnerabilities disclosed after April 2023 and you should migrate to Exchange Server 2019 or Exchange Online as soon as possible and decommission Exchange Server 2013 from your environment.
Documentation may not be fully available at the time this post is published.
This post might receive future updates; they will be listed here (if available).
The Exchange Server Team
Phương nguyễn Viết