Today we are announcing the latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013. In addition to normal fixes to customer reported issues, these releases also include...
Updated Jul 01, 2019
Version 2.0
Blog Post
I wonder what percentage of the user base this even affects. It addresses people who installed Oracle products on their Exchange boxes.
I understand Oracle binaries are baked-in to OWA on Exchange 2007 [web-ready document viewing] - so installing UR20 should be considered to fix the security vulnerability.
- Also Oracle libraries are baked-in to Exchange 2010 - see https://technet.microsoft.com/en-us/library/security/ms12-058.aspx - so install UR14 to cover this vulnerability
- The Outside-In binaries from Oracle affect all currently supported versions of Exchange. Last week we shipped security updates for all products as part of the patch Tuesday release. We do not consider security releases to be bound by our quarterly release schedule which is why they are not called out in this blog announcement. Customer who move to Exchange Server 2016 Cumulative Update 2 or Exchange Server 2013 Cumulative Update 13 do not need to apply the updates released last week if they move to the Cumulative Updates released this week. All customers should choose a deployment path that allows them to address the security vulnerability in the Oracle products included with Exchange Server.