Forum Discussion

CTechCamen's avatar
CTechCamen
Copper Contributor
Mar 10, 2022

OWA Attachments after CVE

Version: Exchange 2019 CU11 Build Number: 15.02.0986.022   Hello All,   After installing CU11 around two weeks ago, I ran the HealthChecker script and discovered there were some un-patched CVE's...
Exchange Server
christiaan-nl's avatar
christiaan-nl
Brass Contributor
Mar 17, 2022

CTechCamen 

 

Hello! I am just being reported that we have the same issue in one of our managed environments. We run multiple Exchange environments. One of this is experiencing the same issue. On the Exchange Team Blog I wrote a reply that we have not had any issues, I had to update it with this one.

 

We have configured Download Domains way back, it all worked fine. Somehow, just after the march patch attachments are not working anymore. Either embedded imaged and attachments like zip files. They result in the error shown below. This issue is now just in one of our environments, not all.

 

I am still investigating. The issue is weird, because we run other environments, exact same setup, OS, patch level, load balancer, etc. Though I don't think Download Domains is the issue here, looks like something is broken in OWA on this environment. Will do basic tests first and if necessary recreate the OWA virtual directory. Issue doesn't look server specific btw.

 

Eventlog doesnt' throw any error or something. Usually this shows something about page errors, etc.

 

I will update you here on our findings, but please continue your own research as well.

 

 

 

Update as of now:

I have deconfigured the CVE-1730 mitigation (Download Domain Config) in one of our organizations having the issue. We have only disabled the Download Domains setting at org level. Then restarted IIS on earch server. It now works again.

 

1 > Disable Download Domains on Organization Level
PS> Set-OrganizationConfig -EnableDownloadDomains $false

 

Optional:

2 > Set the server configurations back to default (Run this against every Exchange Server in your org)

PS> Set-OwaVirtualDirectory -Identity "owa (default Web site)" -ExternalDownloadHostName $null

PS> Set-OwaVirtualDirectory -Identity "owa (default Web site)" -InternalDownloadHostName $null

 

Verify with:

Get-OwaVirtualDirectory -Server <ServerName> | fl *downloadhostname*

Get-OrganizationConfig | fl *download*

 

3 > Restart IIS / Reboot Server (Maybe first disable server in load balancer the descent way, depending on your config).

 

Next

We will work on this issue later on. We set the risk of this CVE to low in our organization as we follow the exploitation indicator for this specific one. We leave it enabled on all other organizations.

Resources