Microsoft has released new security updates for Exchange Server 2013, 2016 and 2019 today. The update closes a total of 6 vulnerabilities for Exchange 2019, 3 of the vulnerabilities are considered critical.
Click here to go directly to the update downloads:
These security gaps will be closed:
- Microsoft Exchange Information Disclosure Vulnerability (CVE-2022-21979)
- Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-21980)
- Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-24516)
- Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-24477)
- Microsoft Exchange Information Disclosure Vulnerability (CVE-2022-30134)
- Microsoft Exchange Information Disclosure Vulnerability (CVE-2022-34692)
As some of the gaps are critical, the updates should be installed promptly. Exchange servers that have not yet been updated to a current CU must first receive the corresponding CU before the August update can be installed. The graphic from the Exchange Team Blog illustrates the procedure:
Außerdem empfiehlt Microsoft nach der Installation der August Updates „Windows Extended Protection“ zu aktivieren. Windows Extended Protection ist ein IIS Featuure, welches nun auch von Exchange Server unterstützt wird. Hier findet sich ein Artikel zu Exchange Server und Windows Extended Protection:
The page also contains a script to activate Windows Extended Protection for Exchange Server.