Microsoft has released new security updates for Exchange Server 2013, 2016 and 2019. The security update is intended to fix the following three vulnerabilities:
- CVE-2022-21969 (Important)
- CVE-2022-21855 (Important)
- CVE-2022-21846 (Critical)
The three vulnerabilities mentioned are errors that allow remote code execution. The updates should therefore be installed as soon as possible, even if no exploitation of the vulnerabilities is currently known.
The updates can be downloaded here:
As usual, Microsoft only provides updates for the current and previous CU. Exchange servers with an older CU are most likely also affected by the vulnerabilities. If you are still running Exchange Server with an older CU, you must first update to a current CU and then install the security updates.
As Exchange servers are currently often used as a target or gateway for attacks, every admin should ensure that security updates for Exchange servers and the operating system are installed as soon as possible.
The update also fixes a problem that occurred with the November update:
Here is the corresponding entry from the Exchange Server Team Blog:
Microsoft also explicitly points out that the manual installation of the update must be carried out using a shell in "Elevated" mode ("Run as administrator"). Here is an example of the "Elevated Shell":
The update can of course also be installed via WSUS, Windows Update or other tools. If the Exchange Server update goes wrong, you can find some possible solutions to the problems here: