Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.
The updates fix the following vulnerabilities;
- CVE-2022-41040: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41082: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41078: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41123: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41079: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41080: Microsoft Exchange Server Elevation of Privilege Vulnerability
Note that this Security Update also addresses the zero-day vulnerabilities of September 29 (CVE-2022-41040 and CVE-2022-41082). If you have the mitigations for those applied as instructed in a previous blog post by the Exchange Team, you can keep those applied or remove them after installing the updates.
Even with these mitigations applied, it is important to apply these updates with the actual code-level fixes as soon as possible as these vulnerabilities as actively exploited! Also, 3 of the other vulnerabilities have a rating of “Exploitation More Likely”.
The updates also contain the following non-security issues;
- Delivery Report search from ECP might fail with IIS logs showing SEC_E_BAD_BINDINGS in a cross-site scenario after enabling Extended Protection
- Export-UMPrompt could fail with InvalidResponseException
View: Exchange Blog: Released: November 2022 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 8, 2022 (KB5019758)
Download: Security Update for Exchange 2019 CU11 and CU12
Download: Security Update for Exchange 2016 CU22 and CU23
Download: Security Update for Exchange 2013 CU23