Microsoft has released new security updates for Exchange Server 2013, 2016 and 209. These three vulnerabilities are fixed in Exchange Server 2016 and 2019:
Bei CVE-2021-41348 handelt es sich um eine Schwachstelle mit dem Schweregrad „Hoch“, welche die Ausweitung von Berechtigungen ermöglicht.
The following vulnerability is fixed in Exchange 2013:
CVE-2021-26427 ist ebenfalls mit dem Schweregrad „Hoch“ eingestuft und ermöglicht Remote Code Execution. Die verfügbaren Updates sollten daher zeitnah installiert werden. Hier geht es direkt zu den Downloads der Updates:
No active exploits are yet known, but this could change with the release of the updates.
Microsoft also explicitly points out that the manual installation of the update must be carried out using a shell in "Elevated" mode ("Run as administrator"). Here is an example of the "Elevated Shell":
Before installing the updates, you should also take a look at the known problems:
- Description of the security update for Microsoft Exchange Server 2019 and 2016: October 12, 2021 (KB5007012)
- Description of the security update for Microsoft Exchange Server 2013: October 12, 2021 (KB5007011)
The update can of course also be installed via WSUS, Windows Update or other tools. If the Exchange Server update goes wrong, you can find some possible solutions to the problems here: