Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
While Microsoft is not aware of any active exploits currently, these are considered critical.
The recommendation is to patch the Exchange Servers ASAP due to the severity of the vulnerabilities. Exchange Hybrid Servers should also be patched.
Background
After the attacks on Exchange Server in late February and March, Microsoft is being more reactive to reported exploits. Microsoft is aware of Remote Code Execution (RCE) vulnerabilities covered in CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CSV-2021-28483. The vulnerabilities affect Microsoft Exchange Server. Office 365 Exchange Online is not affected.
Prerequisites
Microsoft Exchange must be running one of the following versions:
- Exchange Server 2013 CU23
- Exchange Server 2016 CU19 and CU20
- Exchange Server 2019 CU8 and CU9
If you are not on one of these levels, you will need to install the appropriate Cumulative Update prior to installing the Security Update.
Common Issues Reported
- Installing the security update REQUIRES using an elevated command prompt to be successful. Failure to do so will cause some Exchange services to not be functional without troubleshooting the post-patch installation.
- Admin accounts that use a name that ends with $ (example: John.Smith$) stopped being able to access the OWA, ECP, and Exchange Toolbox consoles. This was corrected by renaming the account without the “$”. Microsoft is looking into this issue.
- There is a known issue with the monitoring tool called PRTG and this security update. This is related to how PRTG accesses Exchange Server using Remote PowerShell. The makers of PRTG are aware of this and are working on a solution.
