March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server
Published Mar 08 2021 06:41 PM 213K Views

The FINAL list of all security updates (SU) released for older CU releases:
3/16/2021 released update for: E2013 SP1
3/11/2021 released updates for: E2019 RTM, CU1 and CU2. E2016 CU8, CU9, CU10 and CU11.
3/10/2021 released updates for: E2019 CU3. E2016 CU12, CU13 and CU17. E2013 CU21 and CU22.
3/8/2021 released updates for: E2019 CU4, CU5 and CU6. E2016 CU14, CU15 and CU16.

 

To help customers more quickly protect their environments in light of the March 2021 Exchange Server Security Updates, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don’t have to keep your environment current. This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.

 

With these new updates, you will have a new path you can take:

 

EXSecUpdatesOlderCU02.jpg

 

What are these updates?

  • These update packages contain only fixes for March 2021 CVEs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065); no other product updates or security fixes are included. Installing these updates does not mean an unsupported CU is now supported.
  • Updates are available through the Microsoft Download Center and Microsoft Update.
  • We are producing updates only for some older CUs for Exchange 2013, 2016 and 2019.
  • If you are running a version of Exchange not covered by these updates, consider either rolling forward to a CU package that has an applicable SU, or rolling forward to a supported CU (preferred option). In case you need to go forward with CUs, please see: best practices for installation of Exchange updates (applies to all versions of Exchange).

About installation of these updates

  • These updates must be installed from an elevated command prompt:
    1.      Download the update but do not run it immediately.
    2.      Temporarily disable file-level antivirus software       
    3.      Select Start, and type CMD.
    4.      In the results, right-click Command Prompt, and then select Run as administrator.
    5.      If the User Account Control dialog box appears, choose Yes, and then select Continue.
    6.      Type the full path of the .msp file, and then press Enter.
    7.      After the installation is finished, re-enable the antivirus software, and then restart the computer. (You might be prompted by the installer to restart.)
  • Installing the SUs mentioned here and then installing a later CU will make the server vulnerable to exploits again until the CU you install contains the March 2021 security fixes (Exchange 2016 CU 20 and Exchange 2019 CU 9 – and newer – include March 2021 security updates).
  • Installing updates requires a reboot (even if not prompted). The server will not be protected until after the reboot.
  • After installing one of these updates, you might see older Exchange security updates for your older CU available for download from Microsoft Update. Install the older security update from Microsoft Update and your servers will stay protected (for 4 CVEs mentioned before).
  • If you run into issues after installation, please see https://aka.ms/exupdatefaq first. You can also uninstall these updates (using Add/Remove Programs) if needed.

IMPORTANT: You must install .msp updates from elevated command prompt (see Known Issues in the update KB article)

These additional updates are available in KB5000871.

If you install these additional updates, please ensure that you continue to bring your Exchange environment to supported state as soon as possible. Our original announcement Released: March 2021 Exchange Server Security Updates contains information and resources that can help you plan your updates, troubleshoot problems, and help you with mitigations, investigation, and remediation of the vulnerabilities.

Additional news about investigations

To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.

Please keep checking this blog post for any related updates.

The Exchange Team

54 Comments
Copper Contributor

Great work, this will help the other customers to safeguard  their exchange environment.

Copper Contributor

What's really strange is the CU17 for Exchange 2016 is not mentioned anywhere.  Microsoft has security fixes for CU14/15/16/18/19, but not CU17.  That, or there's a typo somewhere...

Copper Contributor

As Robert wrote, why is not available the security Fixes for CU17?

Copper Contributor
 
 

 Not sure how you can call this great work - seeing as Microsoft have allowed such a hole in the first place......we've been on this for days for some 80+ customers!!!!

Copper Contributor

where are March 2021 SUs for oldest CUs?

Copper Contributor

Where is the link to download "March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server "?

Copper Contributor

could you give feedback about Server Security Updates for older Cumulative Updates of Exchange Server?  Exchange 2013 CU20/CU21/CU22 ?

Microsoft

@Robert_Blissitt and @Mmchow The fact that CU17 is missing is not a typo; when we started to build security updates for older CUs, we prioritized the CUs that we could tell people used the most.

@urchin1240 and @DaniS470 The SUs for the older versions of CUs are in the same KB article as the SUs for officially supported CUs (KB5000871)

Copper Contributor

Sorry, i haven't found. Could you give me a link to SUs for older exchange 2013 than CU23? 

Copper Contributor

Thanks, @Nino Bilic , that makes sense.  Because we are a Hybrid environment, we always strive to be at N or N - 1.  But we stayed at CU17 due to the PDF/OWA issue and I'm surprised to hear that more admins seemingly were not doing the same.  :)

 

@urchin1240 , I believe that Microsoft is no longer issuing new CUs for Exchange 2013.  If that is the case, you will have to upgrade to CU23 in order to apply this security fix.  (Unless they decide to release versions of this security fix for yet more unsupported/old Exchange versions, which you should definitely not count on because they are so old.)

Iron Contributor

@Nino Bilic On a Windows 2019 Core installation, outside of running Healthchecker, how do you confirm the installation of KB5000871 ?  It does not show up in the WAC or via the get-hotfix command.

Microsoft

@Sam_T Another option is to check the files that are put down by the installer; the files and their versions are listed in the bottom of the KB article that has all the download links KB5000871 (look at the section called 'Exchange server file information').

Iron Contributor

@Nino Bilic  Hello Nino. I had a look at the list of files that are updated by KB5000871.  Checking the file versions for 1000+ files on each of dozens of Exchange servers doesn't really seem practical.   It appears that if the installation of KB50000871 on Windows 2019 Core is not visible in WAC or by simply running get-hotfix, this is a problem with either the patch or Windows 2019 - I'm not sure which but its not being reported correctly which is an issue for an administrator or installer..  Do you see the same thing on your Windows 2019 Core servers?   Pozz...

Copper Contributor

If I'm running Exchange 2016 CU 16, 17 or18 and then apply CU 19, and then the March 2021 security update, will that include the February 9, 2021 (KB4602269) Security update? I'm seeing two different versions of the diagram above (second path): One says that I will be patched for all current vulnerabilities including the March 2021 one, and the other one says that I will only be current with the March 2021 security vulnerabilities.

Microsoft

@Sam_T Have look at this specific part of this document: Repair failed installations of Exchange Cumulative and Security updates - Exchange | Microsoft Docs

@freddy104 Yes, the March 2021 security update for E2016 is a cumulative security update and contains February security fixes also.

Copper Contributor

Hi @Nino Bilic , could you tell us if we'll need to remove this security fix before installing the upcoming quarterly CU (e.g. CU20 for Exchange 2016) or if we can update to the next CU "on top" of this security fix.

Microsoft

@Robert_Blissitt You do not need to uninstall the SU to go to the next CU. Just install CU20, and you will be covered.

Copper Contributor

Hey there @Nino Bilic . I'm not seeing SU for Exchange Server 2016 cu9. When looking for the SU update on the KB it only goes back to CU14. Will I be able to use this to patch or is Microsoft rolling out other patches? HELLLPPPP!!!!

 

Microsoft

@mcl7guy Please start updating your system to the latest supported CU update ASAP. We have not announced creating more SUs for unsupported CUs. There are variety of reasons that make this a difficult proposition (even what we shipped so far) so please do not delay.

EDIT: Well, we have now announced more SU releases... but yours is not on that list. Please work on updating!

Copper Contributor

@Nino Bilic 
I'm not seeing SU for Exchange Server 2013 cu20. Were,when?

Microsoft

@urchin1240 Yeah, we did not publish an SU for that Exchange 2013 CU. Please update to later CU and SU; do not delay!

Iron Contributor

@Nino Bilic  Hello Nino. Thanks for your response.   Repair failed installations of Exchange Cumulative and Security updates - Exchange | Microsoft Docs does appear to give you a sort of a way to check that KB5000871 is installed however I will make two comments:

1) That article is a very good generic troubleshooting article that has received some updates related to KB5000871 but does not acknowledge this. The version number returned by Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo} is 15.02.0792.010 which would be the version # for CU8 with the hotfix and not for the original CU8 - that value is 15.02.0792.003 . So this article is misleading in that respect and confusing to the installer.  The article is also confusing in that has some KB5000871 specific values but does not acknowledge this

2) If you use WAC or get-hotfix against a Windows 2019 Core server you will see the updates that have been installed on that server. However this is not the case for the KB5000871 update on the systems I have installed it on, so I believe that this is a problem with this update.  I don't think installing an update on a Windows server and not being able to verify that it is installed using typical methods is a very desirable situation.  Why wouldn't it show up in WAC or via a simple get-hotfix command?  A script using get-hotfix or WAC or even a 3rd party tool not being able to find the installation of KB5000871 is a problem.

 

Copper Contributor

@Nino Bilic  and it won't? SU for Exchange Server 2013 cu20?

Copper Contributor

@Nino Bilic  @The_Exchange_Team  Please Advise Exc 2016 CU to CU 19 Directly Without intermediate CU consider an upgrade of .net FrameWork 4.8 upgrade as a prerequisite for CU19  ( After .net FrameWork Upgrade Server Restart Will Impact Exciting CU 8 prior to Upgrade)

Copper Contributor

We have hybrid environment (mailboxes in office 365) and when I run script .\Test-ProxyLogon.ps1. I got Below error message so I just wondering to know. Is it impact on my enviroment.  Does anyone know anyother way to investigate ? 

Error Message: -[CVE-2021-26855] suspicious activity found in Http Proxy log!

MicrosoftTeams-image.png

 

https://github.com/microsoft/CSS-Exchange/tree/main/Security

 

Hi please note that the scripts you use for testing are not static by any means. They are frequently updated to reflect changes in behaviour and analysis of attacks and detection. 

Copper Contributor

I have a couple of clients on Exchange 2013 CU 15.  I see the 3/10/21 update has the patch for CU21 and CU22.  Will one be provided for CU15?

@TheFez98 We have not released an update for that version; I just updated the blog post with the final list. Please roll forward.

 

Dear @The_Exchange_Team I would like to plea to quickly bring up a new page like CU Archive at docs.microsoft.com that include the links to the unsupported CUs.

We found many customers have not adopted the CUs and now end up with unsupported state and we need the stepup CUs for the .net upgrade dependencies. 

Currently you remove links to all non supported CUs. It would be most helpful if the crucial CUs that are needed to get to 4.7 / 4.8 remain linked.

thankfully they are still available when using google.

example EX2016 CU14.

Some customers have installed the lastest CU over a very old one without watching the .net compatibility and face serious issues that needed to restore the Exchange. Thanks for your point of view if you intend to ease the situation. 

There are still many unpachted system and the priority remains.

K_Wester-Ebbinghaus_0-1615538161541.png

 

 

Copper Contributor
Copper Contributor

I have noticed that you provided the security update down to Ex 2016 CU8.  I kindly ask that you provide 2016 CU5?    

Copper Contributor

Dear Sir,

 After update Exchange Server 2016 update to CU19 , it seems OWA can not access now. would you Pls.  give some comment?

            

:(
Something went wrong
 
Your request couldn't be completed. HTTP Status code: 500.
X-ClientId: 7C4015F5D714486B85239D9FE8CFD5A0
request-id 76d1dced-1687-4026-9469-d70ac621864a
X-OWA-Error System.Web.HttpUnhandledException
X-OWA-Version 15.1.2176.9
X-FEServer HKssssssSZ-02
X-BEServer HKssssss-02
Date:3/13/2021 8:51:06 AM
InnerException: System.IO.DirectoryNotFoundException
Brass Contributor

@Chase SkradisPlease note the very top of this page where it now says that this is "The FINAL list of all updates released for older CU releases."  So the security fix will not be released for any additional older versions.  If you haven't already, you should update to CU8 or a higher supported version and apply the security fix.

@Jimmy520 sure you ran a cmd with specific elevated rights to start the msp

Being admin role is not enough.

Also don't forget to patch Windows SSU ss per ADV9900001 and CUs. Seen Exchange 2016 not working with CU 19 + Patch because missing Windows Updates.

Also check your AD Exchange Schema Version

 

 

@Chase Skradis what's the reason to stay on a severe outdated and unsupported CU? 

Copper Contributor

We are able to Complete Upgrade EXC  CU19 from CU 8 (Our Server was running .Net 4.8 with EXC CU 8 without any issue) and Applied Security Update With Windows Update.  

Copper Contributor

@Karl_Wester-Ebbinghaus ,Yes, we had specific elevated rights to start the msp. but it is fail to access it from IE OWA.

could you an give some command execution, how to repair?

好像是证书问题。Outlook可以正常访问邮件。用OWA不可以。

It seems to be a certificate problem. Outlook can access mail normally. You can't use OWA.

 

 

 

 
 

 

Brass Contributor

Hello

My exchange server 2016 CU3 how to step by step CU 19 update SU and CU for Applied Security

Thanks

Copper Contributor

Hi, have a look at: https://www.msxfaq.de/exchange/update/servicepack2016.htm

There you can see the steps. Mind the .NetFramework Versions!

 

 

Microsoft

@Karl_Wester-Ebbinghaus At this time, we are not shipping any additional SUs for older out of support CUs

@Chase Skradis We are not working on an SU for 2016 CU5; please update to a supported CU ASAP

@Jimmy520 Please check this: https://aka.ms/exupdatefaq

@Robert_Blissitt1930 Correct, we are not planning to ship additional SUs for older out of support CUs; the list is "final" (and is in addition to originally released SUs for supported CUs)

Copper Contributor

As Microsoft today (16 March) released CU20 for Exchange 2016 on the Volume Licensing Service Center ( SW_DVD9_Exchange_Svr_2016_CU_20_MultiLang_Std_Ent_.iso_MLF_X22-61082.ISO ) I suppose we can upgrade to that version and be fully protected without installing any additional patches?

@Jimmy520 check out Franky's Web Exchange Blog, new Edge will help to auto translate I am sure he has a solution documented for your issue. I sounds familiar to me. 

 

R: Dear @The_Exchange_Team I would like to plea to quickly bring up a new page like CU Archive at docs.microsoft.com that include the links to the unsupported CUs.

A: @K_Wester-Ebbinghaus At this time, we are not shipping any additional SUs for older out of support CUs

 

Hi @Nino Bilic I think this is a misunderstanding. I am requesting to link the the older CUs in a docs page not to release anything. It is already released but not link. Please re-read my request, or do I refer your answer to something said earlier? Thank you Nino!

Copper Contributor

@The_Exchange_Team @Nino Bilic I have a hybrid environment with a pair of E2013CU16 servers on prem. I am unable to install the "Exchange2013-KB5000871-x64-en.msp" on these servers, so my only option is to update to a newer CU to receive this patch? I have all of the latest updates on the server pair.

 

Regards

Dudley

@deedubois That is correct; you will not be able to install security updates until you brought the servers to a supported CU. https://aka.ms/exchangewizard can help you figure out which steps you need to do to get there (my suggestion is to aim to get to E2013 CU23 and then install the security update).

Copper Contributor

Dear

Since the KB5000871 deployment, OutlookAnywhere is no longer working. We get an error on the client not able to connect the OAB server when testing Outlook connectivity through the Microsoft Connectivity Analyzer. All other services are working as expected. 

It seems that a lot of organizations have the same issue after the patch deployment: https://techcommunity.microsoft.com/t5/exchange/an-error-occurred-while-trying-to-get-the-address-bo...

We have an Exchange 2016 CU18 with the KB5000871 patch. 

Thanks for the support.

Peter

Iron Contributor

@Nino Bilic  Hello Nino. Thanks for your response.   Repair failed installations of Exchange Cumulative and Security updates - Exchange | Microsoft Docs does appear to give you a sort of a way to check that KB5000871 is installed however I will make two comments:

1) That article is a very good generic troubleshooting article that has received some updates related to KB5000871 but does not acknowledge this. The version number returned by Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo} is 15.02.0792.010 which would be the version # for CU8 with the hotfix and not for the original CU8 - that value is 15.02.0792.003 . So this article is misleading in that respect and confusing to the installer.  The article is also confusing in that has some KB5000871 specific values but does not acknowledge this

2) If you use WAC or get-hotfix against a Windows 2019 Core server you will see the updates that have been installed on that server. However this is not the case for the KB5000871 update on the systems I have installed it on, so I believe that this is a problem with this update.  I don't think installing an update on a Windows server and not being able to verify that it is installed using typical methods is a very desirable situation.  Why wouldn't it show up in WAC or via a simple get-hotfix command?  A script using get-hotfix or WAC or even a 3rd party tool not being able to find the installation of KB5000871 is a problem.

Hi @Sam_T I have also noticed that the output of Get-Hotfix is not same with Get-ComputerInfo or WAC. Exchange Updates are missing 

please add your feedback and upvote.
ISSUE - WAC 2103 - Updates - Exchange Hotfixes missing in Update history – Windows Server (uservoice...

Brass Contributor

Hello MS Team 

My System Email is running Exchange server 2016 CU3.

How to step by step upgrade Exchange 2016 CU3 to Exchange 2016 CU20 Lastest

Recommend checklist path upgrade .net framework 4.6.2-4.8

Many Thanks

@phuongnguyen this is described in the Exchange compatibility matrix.
Exchange Server supportability matrix | Microsoft Docs

I am also aware that the older CUs can only be obtained via Google for the specific CU name and microsoft.com download and this would start a quite marathon of installing CUs, as they take a long time

I don't want to be held liable for this information, but it was possible to do the following:

- backup Exchange :warning:

- add executing user to Schema and Exchange / Domain Org Admin

- stop AV (Defender or 3rd Party when installing MSP or CUs

- stop all ex services

- install .net 4.8
- install the latest CU 20 directly. This one does not need a msp patch 

Co-Authors
Version history
Last update:
‎Mar 19 2021 01:46 PM
Updated by: