New security updates for Exchange Server (August 2023)

Microsoft has released new security updates for Exchange Server 2016 and 2019. The update fixes 6 vulnerabilities that are marked as important. In addition, further adjustments are necessary after installing the updates. There are currently no indications that the vulnerabilities are being exploited.

Click here to download the updates:

• Exchange Server 2019 CU12 and CU13
• Exchange Server 2016 CU23

The following vulnerabilities are fixed:

• CVE-2023-35368 (Remote Code Execution)
• CVE-2023-38181 (Spoofing)
• CVE-2023-38182 (Remote Code Execution)
• CVE-2023-21709 (Elevation of Privilege)
• CVE-2023-35388 (Remote Code Execution)
• CVE-2023-38185 (Remote Code Execution)
• CVE-2023-38185 (Remote Code Execution)

After the security update for August 2023 has been installed, a PowerShell script provided by Microsoft must also be executed so that the vulnerability CVE-2023-21709 is fixed. The required script can be downloaded here:

CVE-2023-21709.ps1

Here you can find more information about the script:

• https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-21709/

If RMS or Purview Information Protection is used, further steps are required. The details can be found in the graphic from the Exchange Team Blog:

Here is the link to the article from the Exchange Team Blog:

• Released: August 2023 Exchange Server Security Updates

Update 08.08.2023: Apparently the update cannot be successfully installed on operating systems and Exchange servers in German. The setup fails with error code 1603 and leaves a faulty Exchange installation. Users of Exchange servers and operating systems in German should therefore not install the update for the time being.

Update 09.08.2023: In the meantime, Microsoft has confirmed that the update is causing problems on non-English speaking servers:

Due to reports that Exchange setup fails on servers running on several languages other than English, we have temporarily removed August SU from Microsoft / Windows update until we find the root cause of the problem. We recommend our customers running non-English servers to pause installation until we provide more information. If your server has been already impacted by failed setup, please do not try uninstalling anything. Re-enable Exchange Services by running the following from the \Exchange Server\V15\Bin folder. Reboot the server after this and services should start:

.\ServiceControl.ps1 AfterPatch

Update 16.08.2023: A new version of the update has been released. See here: New security updates for Exchange Server (August 2023)