Cumulative Update 12 for Exchange 2016 is now available. It contains 3 new documented security updates and 23 additional documented new fixes or improvements, as well as all previously released fixes and security updates for Exchange 2016 and the latest DST updates.
Notable improvements, changes and fixes are;
- ADV190004: February 2019 Oracle Outside In Library Security Update
Microsoft Exchange Server contains some elements of the Oracle Outside In libraries. This update contain fixes to vulnerabilities which are described in: Oracle Critical Patch Update Advisory – October 2018. - CVE-2019-0686 and CVE-2019-0724: Microsoft Exchange Server Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as a Domain Administrator or gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users. Exploitation of this vulnerability requires Exchange Web Services (EWS) and Push Notifications to be enabled and in use in an affected environment.
To mitigate this vulnerability, AD permissions granted to Exchange server have been modified as discussed in KB4490059: Reducing permissions required to run Exchange Server by using Shared Permissions Model, and additionally changes have been made to EWS authentication as discussed in KB4490060: Exchange Web Services Push Notifications can be used to gain unauthorized access. - KB4487603: “The action cannot be completed” error when you select many recipients in the Address Book of Outlook in Exchange Server 2016.
- KB4488268: Disable the irrelevant Query logs that’re created in Exchange Server 2016.
This release includes no new updates to the Active Directory Schema.
The next planned quarterly update is in June 2019.
Download: Cumulative Update 12 for Exchange Server 2016 (KB4471392)
Download: Exchange Server 2016 CU12 UM Language Packs
View: Description of Cumulative Update 12 for Exchange Server 2016
View: Blog post of the Exchange Team about CU12 for Exchange Server 2016