Microsoft has released Security Updates (SUs) for vulnerabilities found in:
Exchange Server 2019
Exchange Server 2016
SUs are available for the following specific versions of Exchange Serve...
Updated Oct 12, 2023
Version 8.0
Blog Post
Nino_Bilic
Microsoft
Microsoftwolfgang-frey Hmmm yeah this is a bit confusing but:
The long version: CVE-2023-21709 (Exchange vulnerability disclosed in August) had a solution (at the time) of disabling the IIS Token Cache. Now (October 2023) - IIS team has released a fix for the root cause of this issue, as an update for Windows (IIS really) and has disclosed this vulnerability as CVE-2023-36434. Which is not an Exchange vulnerability (as it is a vuln in IIS). So what we are saying is - install Windows Updates first (this will get you fixed for CVE-2023-36434) and then you can safely re-enable Token Cache if you disabled it between now and August 2023 as our original guidance for CVE-2023-21709 suggested.
In other words - I think our wording is correct; the confusing part is that the previously disclosed Exchange vuln is really a subset of the later disclosed IIS vuln and the recommended way to address both is to install the fix for IIS via Windows Update.