The FINAL list of all security updates (SU) released for older CU releases: 3/16/2021 released update for: E2013 SP1 3/11/2021 released updates for: E2019 RTM, CU1 and CU2. E2016 CU8, CU9, CU10 and CU11. 3/10/2021 released updates for: E2019 CU3. E2016 CU12, CU13 and CU17. E2013 CU21 and CU22. 3/8/2021 released updates for: E2019 CU4, CU5 and CU6. E2016 CU14, CU15 and CU16.
To help customers more quickly protect their environments in light of the March 2021 Exchange Server Security Updates, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don’t have to keep your environment current. This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.
With these new updates, you will have a new path you can take:
What are these updates?
These update packages contain only fixes for March 2021 CVEs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065); no other product updates or security fixes are included. Installing these updates does not mean an unsupported CU is now supported.
Updates are available through the Microsoft Download Center and Microsoft Update.
We are producing updates only for some older CUs for Exchange 2013, 2016 and 2019.
If you are running a version of Exchange not covered by these updates, consider either rolling forward to a CU package that has an applicable SU, or rolling forward to a supported CU (preferred option). In case you need to go forward with CUs, please see: best practices for installation of Exchange updates (applies to all versions of Exchange).
About installation of these updates
These updates must be installed from an elevated command prompt:
Download the update but do not run it immediately.
Temporarily disable file-level antivirus software
Select Start, and type CMD.
In the results, right-click Command Prompt, and then select Run as administrator.
If the User Account Control dialog box appears, choose Yes, and then select Continue.
Type the full path of the .msp file, and then press Enter.
After the installation is finished, re-enable the antivirus software, and then restart the computer. (You might be prompted by the installer to restart.)
Installing the SUs mentioned here and then installing a later CU will make the server vulnerable to exploits again until the CU you install contains the March 2021 security fixes (Exchange 2016 CU 20 and Exchange 2019 CU 9 – and newer – include March 2021 security updates).
Installing updates requires a reboot (even if not prompted). The server will not be protected until after the reboot.
After installing one of these updates, you might see older Exchange security updates for your older CU available for download from Microsoft Update. Install the older security update from Microsoft Update and your servers will stay protected (for 4 CVEs mentioned before).
If you run into issues after installation, please see https://aka.ms/exupdatefaq first. You can also uninstall these updates (using Add/Remove Programs) if needed.
IMPORTANT: You must install .msp updates from elevated command prompt (see Known Issues in the update KB article)
These additional updates are available in KB5000871.
If you install these additional updates, please ensure that you continue to bring your Exchange environment to supported state as soon as possible. Our original announcement Released: March 2021 Exchange Server Security Updates contains information and resources that can help you plan your updates, troubleshoot problems, and help you with mitigations, investigation, and remediation of the vulnerabilities.
Additional news about investigations
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.