In this blog post, we want to address two scenarios customers have asked us about the Active Directory schema vulnerability detailed in our July 2021 security update announcement.
Note: This blog post does not apply to customers who are in an Exchange Online hybrid configuration. Hybrid customers should follow the instructions in the July 2021 Security Update announcement to update their Active Directory schema.
Without explicit action by a schema admin in your organization, you might be vulnerable to CVE-2021-34470 if:
If your organization is in one of these scenarios, we recommend the following to update your Active Directory schema to address the vulnerability in CVE-2021-34470:
Even if your organization has uninstalled all your Exchange servers, the schema extensions made by Exchange to your Active Directory are not removed. If you ran Exchange Server in the past, your Active Directory schema was extended as a part of Exchange Server installation, and any Exchange schema extensions are still present in your organization (unless you completely rebuilt your Active Directory forest). Therefore, you might be vulnerable to CVE-2021-34470, and you should use the script to address this vulnerability.
The script makes only the change needed to address CVE-2021-34470, and no other schema changes are made. You can run the script in Test mode to see if your Active Directory schema is vulnerable to CVE-2021-34470. The script will also provide validation that CVE-2021-34470 is addressed if you have already updated your schema.
The Exchange Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.