The updates for Windows Server which were released on February 19, 2019 after the regular patchday are also important for Exchange Server running on Windows Server 2016. Specifically, it is about a problem that has existed since September 2018:
KB4457127 causes problems on DCs in connection with Exchange
KB4457127 causes problems with the Exchange address lists after installation on domain controllers, so it was previously advisable not to install the corresponding update on DCs:
The KB4487006 from 19.02.2019 now fixes this problem, here is an excerpt from the list of fixed problems:
Addresses an issue that may cause Microsoft Outlook to display the error, „The operation failed“ when viewing the Microsoft Exchange Address Book. This issue occurs after installing KB4457127 on Active Directory domain controllers that utilize Microsoft Exchange. The error appears on Microsoft Outlook clients that use locales other than EN-US.
February 19, 2019-KB4487006 (OS Build 14393.2828)
Furthermore, KB4487006 allows limiting HTTP/2 settings frames that clients can send to the IIS web server. Attackers who exploit this vulnerability could drive up the CPU load on the IIS servers (and thus also Exchange servers) and thus overload the server to such an extent that it becomes unusable (DDoS).
However, KB4487006 does not fix the vulnerability in connection with HTTP/2 Settings Frames, but only offers the possibility to restrict the scenario by means of appropriate limits:
Define thresholds on the number of HTTP/2 Settings parameters exchanged over a connection
As no limits are set in the default setting and it is therefore still possible to drive the CPU load on Exchange servers to 100%, the question naturally arises as to which limits make sense here.
I can't answer this question at the moment either, as I don't have any relevant information.
I have used the following values for the sake of testing:
I took these values from the following Reddit thread (but these are guesses):
Microsoft publishes security alert on IIS bug that causes 100% CPU usage spikes
As soon as I have more information, I will update this article.