New security updates for Exchange Server (February 2023)

Microsoft has released new security updates for Exchange 2013, 2016 and 2019. A total of 4 vulnerabilities classified as important are fixed. Details on the closed vulnerabilities can be found here:

• CVE-2023-21707 – Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2023-21706 – Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2023-21710 – Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2023-21529 – Microsoft Exchange Server Remote Code Execution Vulnerability

As can be seen, all 4 vulnerabilities are remote code execution vulnerabilities, so the updates should be installed as soon as possible.

Click here to download the updates directly:

• Exchange Server 2013 CU23
• Exchange Server 2016 CU23
• Exchange Server 2019 CU11 and CU12

Here you can find the article from the Exchange Team Blog:

• Released: February 2023 Exchange Server Security Updates

I have also already updated my page on the latest Exchange versions:

• Exchange versions

There you will also find the option to receive an e-mail directly when updates are published.

Update 15.02.: Anyone who installed the Exchange SU before 15.02.20233 17:00 via Windows Update may try again. Windows Update has delivered the January SU and not the current February SU. As often mentioned, the safest and most stable way to install Exchange Update is the EXE package and not the way via Windows Update. See the note from the Exchange Team Blog:

Note: Build availability issues have been resolved. If your server downloaded the February SU via Windows/ Microsoft update before February 15 8 AM Pacific time, you might see the February update be offered again. Installing the updated package will bring your server forward to current February builds (verify using Health Checker after installation). The Download Center .exe update packages were (and still are) correct.

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february-2023-exchange-server-security-updates/ba-p/3741058

Update 16.02: After installing the SU, Exchange 2016 / 2019 servers may experience the problem that the EWS Application Pool in IIS crashes. Event 4999 is logged in the event log with the following message:

E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021.

The following workaround has been published on the Exchange Team Blog:

1. Create the following regkey in the exchange servers: SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics\DisableBaseTypeCheckForDeserialization
The regkey is ‘string value’ type and needs to have a value of 1.
2. Create the below setting override:

1. New-SettingOverride -Name „Adding learning location ClientExtensionCollectionFormatter“ -Server <ServerName> -Component Data -Section DeserializationBinderSettings -Parameters @(„LearningLocations=ClientExtensionCollectionFormatter“) -Reason „Deserialization failed“
2. Force the application of the setting by running the following:
   Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
   Restart IIS app pools.