Released: October 2022 Exchange Server Security Updates

Stav_K The only time you are protected from those vulnerabilities is if you install either August or October SUs (or any SUs that come later, in the future) AND you also enable Extended Protection (EP) which needs to be done manually. EP is not turned on in code and without it, you have required code in place but the CVEs are not addressed because there is no extra validation of machine to machine communications. When in doubt - Health Checker script will always tell you what you need to do.

On your second question - yes, Description of the security update for Microsoft Exchange Server 2019 and 2016: October 11, 2022 (KB5019077) addresses CVE-2022-34692 - Security Update Guide - Microsoft - Microsoft Exchange Information Disclosure Vulnerability but you are right that while the KB points to the CVE, the CVE does not point to the KB. I'll give feedback to the relevant team to make this change.

EDIT: one more thing... we recommend all customers install October updates even if they installed August updates. We do not recommend that customers skip October. You are right, however, that there are no new CVEs in October. But note that it is usually not a good practice to assume that "update should be installed only if there are new CVEs present." There can definitely be situations where we include security improvements that were never publicly disclosed and therefore will not have a CVE. Therefore our recommendation: install security updates.