Security updates have been released for Exchange 2016 and Exchange 2019.
The updates fix the following vulnerabilities;
- CVE-2023-36778: Microsoft Exchange Server Remote Code Execution Vulnerability
None of the vulnerabilities are currently publicly disclosed nor exploited. However, it is rated as “Exploitation More Likely”, so make sure you update as soon as possible!
The updates also contain the following new feature and non-security issues;
- Extended Protection causes Outlook for Mac not to update the OAB
- Details Templates Editor fails and returns BlockedDeserializeTypeException
- Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing August 2023 SU
Additionally, there is an new update released by the Windows Team which contains a better solution to address CVE-2023-21709 from last August. This is better known as the IIS Token Cache issue where you had to apply the update and disable the Token Cache module. This has now been addressed via CVE-2023-36434. For more info, see the Exchange blog post referenced below.
View: Exchange Blog: Released: October 2023 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019 and 2016: October 10, 2023 (KB5030877)
Download: Security Update V2 for Exchange 2019 CU12 and CU13
Download: Security Update V2 for Exchange 2016 CU23.
