Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.
The updates fix the following vulnerabilities;
- CVE-2022-21979: Microsoft Exchange Information Disclosure Vulnerability
- CVE-2022-21980: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-24477: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-24516: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-30134: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-34692: Microsoft Exchange Information Disclosure Vulnerability
None of the vulnerabilities are currently publicly disclosed nor being exploited. However, for 3 of the vulnerabilities the exploitability assessment is regarded as “More Likely”, so it is important to update as soon as possible.
In addition of installing the update, you must also enable Windows Extended Protection to protect yourself from the vulnerabilities. This is unfortunately not a simple thing to enable as it is not compatible with all configurations. Therefor, make sure you carefully read the Extended Protection documentation and use the provided script to enable it.
The updates also contain the following non-security issues;
- KB5017261: Start-DatabaseAvailabilityGroup fails with BlockedDeserializeTypeException
- KB5017430: E-Discovery search fails in Exchange Online
View: Exchange Blog: Released: August 2022 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019 and 2016: August 9, 2022 (KB5015322)
View: Description of the security update for Microsoft Exchange Server 2013: August 9, 2022 (KB5015321)
Download: Security Update for Exchange 2019 CU11 and CU12
Download: Security Update for Exchange 2016 CU22 and CU23
Download: Security Update for Exchange 2013 CU23