Blog Post

Exchange Team Blog
6 MIN READ

Released: March 2023 Exchange Server Security Updates

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Mar 14, 2023
Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019 SUs are available in a self-extracting auto-elev...
Updated May 08, 2023
Version 22.0
announcements
Exchange 2013
exchange 2016
exchange 2019
on premises
security
setup
JMV2100's avatar
JMV2100
Copper Contributor
Mar 15, 2023

Nino_Bilic LukasSMSFT   


If you look at the description for the March 2023 SU here:

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-14-2023-kb5024296-e13b0369-2102-4c95-bee2-456514630727

 

It shows that it addresses one CVE, CVE-2023-21707. This CVE was originally addressed in the Feb 2023 SU. 

If you dive deeper into the CVE here:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21707

 

It indicates that the CVE was updated on March 9th. 

If you scroll to the bottom of the CVE details page to look at the revision information it indicates this:

 

”Updated CVE to announce re-release of security updates. Please see FAQ section for more information.”

 

If you look at the FAQ section on the CVE details it says this:

 

Why are there new updates associated with this CVE?

We are re-releasing this CVE to inform customers that there are new updates to install for this vulnerability. A small subset of customers were experiencing problems with Exchange Web Services due to the updates that were released in February. The new updates address these problems. Customers who are experiencing issues with the February updates are encouraged to install the March Exchange Server updates listed in the Security Updates table.” (The bold emphasis is mine)

 

It specifically states that customers are encouraged to install the March 2023 SU for customers who are experiencing issues with the February updates. 

 

Outlook CVE-2023-23397 found here:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

 

Makes no mention that Exchange SU for March 2023 is required to resolve CVE-2023-23397. 

Having stepped all the above out, I would suggest that from Microsoft documentation provided, Exchange SU for March 2023 resolves issues provided by the SU Feb 2023 fix for CVE-2023-21707. Based on their documentation 

SU for March 2023 corrects the issues some experienced with the Feb SU, and to apply March SU if you experienced the described issues.  The documention also implies that to resolve CVE-2023-23397 you only need to install the latest Office updates released on March 14. 

 

Can we please have confirmation as to what I have detailed above?