New updates have just been released for all supported Exchange Server versions, which also fix the critical vulnerability from CVE-2018-8581 fix. The updates should therefore be installed as soon as possible, as an exploit for this vulnerability has existed for some time.
Click here to download the updates for Exchange 2010, 2013 and 2016:
- Cumulative Update 12 for Exchange Server 2016
- Cumulative Update 22 for Exchange Server 2013
- Update Rollup 26 For Exchange 2010 SP3 (KB4487052)
The CU1 for Exchange Server 2019 is not available for public download, but only via VLSCAction Pack or MyVisualStudio Download Center.
You can find more information about the updates here:
The article also states that the password for the Exchange Server computer account should be recreated after installing the update:
After applying either the cumulative update or update rollup to a server, customers are advised to force a reset of the Exchange servers' credentials stored in Active Directory. This can be accomplished using the Reset-ComputerMachinePassword cmdlet in PowerShell 5.1 or later. If PowerShell is not an option, netdom or Active Directory Users and Computers can also be used.
Furthermore, the permissions for Exchange Server in the Active Directory are changed, so "setup /prepareAD" should be executed before the update is installed. This step is also done automatically by the setup. In larger Active Directory environments, however, the command should be executed manually and the replication of the Active Directory should be awaited.
The following note is also important when updating the Edge role:
To avoid a setup failure, it is necessary to install the Visual C++ 2012 runtime before installing Cumulative Update 22 or Cumulative Update 12 on Edge role if not already present.
Since CVE-2018-8581 results in changes to the EWS API, all programs and services that access EWS should be carefully tested, as it cannot be ruled out that problems may occur with programs from other manufacturers.
