Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.
The updates fixes the following vulnerabilities;
- CVE-2021-31196: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-31206: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-34470: Microsoft Exchange Server Elevation of Privilege Vulnerability
None of the vulnerabilities are currently publicly disclosed nor exploited. The Exploitability Assessment is rated: Exploitation Less Likely.
When you are using Exchange 2013, a schema update must be applied after installing the update. See the Exchange Blog article for more info.
If you get the following error when trying to login to OWA or ECP after applying the Security Update see; Can’t sign in to Outlook on the web or EAC if Exchange Server OAuth certificate is expired.
HMACProvider.GetCertificates:protectionCertificates.Length<1
View: Exchange Blog: Released: July 2021 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019: July 13, 2021 (KB5004780)
View: Description of the security update for Microsoft Exchange Server 2016: July 13, 2021 (KB5004779)
View: Description of the security update for Microsoft Exchange Server 2013: July 13, 2021 (KB5004778)
Download: Security Update for Exchange 2019 CU9 and CU10
Download: Security Update for Exchange 2016 CU20 and CU21
Download: Security Update for Exchange 2013 CU23