Released: August 2023 Exchange Server Security Updates
Published Aug 08 2023 10:02 AM 177K Views

Update 10/10/2023: Our recommendation to address CVE-2023-21709 is now changed; please see the changes below.

Update 9/12/2023: As a part of the September 2023 "Patch Tuesday" we have released a few more Exchange Server CVEs. They were all addressed in our August 2023 SU (more information here). If you did not install August SUs yet, please do so now.

Microsoft has released Security Updates (SUs) for vulnerabilities found in:

  • Exchange Server 2019
  • Exchange Server 2016

SUs are available for the following specific versions of Exchange Server (download links are updated for re-released SUs):

  • Exchange Server 2019 CU12 and CU13
  • Exchange Server 2016 CU23

The August 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).

Steps needed to address CVE-2023-21709

To address CVE-2023-21709, our updated recommendation is for administrators to install October 2023 Windows Security Updates on all of their Exchange Servers. Please see October 2023 Security Update announcement for more information.

Support for change of default encryption algorithm in Microsoft Purview Information Protection

This section applies only to our customers who use Exchange Server and either Azure or AD Rights Management Service (RMS). If you do not know what that is, Exchange Online CBC encryption changes should not apply to you:

As announced in the Encryption algorithm changes in Microsoft Purview Information Protection blog post, Exchange Server August 2023 SUs contain updates that enable customers who use Exchange Server on-premises to continue decrypting content protected by Purview sensitivity labels or Active Directory Rights Management Services. Please review that blog post for details and timelines and read AES256-CBC support for Microsoft 365 documentation.

If your organization is impacted by this change, after installing the August SU on your Exchange servers, see this KB article. Please note – this step is not needed unless your on-premises servers require support for AES256-CBC.

Update installation

The following update paths are available:

Aug2023SUpaths01.jpg

Known issues with this release

  • Customers impacted by the upcoming Microsoft 365 AES256-CBC encryption change need to perform a manual action to enable new encryption algorithm after August 2023 SU is installed. Please see this KB article. We will remove the requirement for manual action in a future update.

Issues resolved in this release

FAQs

Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.

The last SU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this blog post for more information.

Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.

We still use Exchange Server 2013 on-premises to host mailboxes. Can we have an update for Exchange Server 2013 to support the new Microsoft 365 AES256-CBC encryption standard?
Exchange Server 2013 is out of support and will not receive any further security updates. We do not perform any vulnerability testing against this version of Exchange anymore. Exchange Server 2013 is likely vulnerable to any vulnerabilities disclosed after April 2023 and you should migrate to Exchange Server 2019 or Exchange Online as soon as possible and decommission Exchange Server 2013 from your environment.

Documentation may not be fully available at the time this post is published.

Blog post updates:

  • 9/12: Changed the banner to mention that Aug 2023 SUs are also the resolution to Exchange Server CVEs released in September 2023.
  • 8/16: Added a known issue for: Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing August 2023 SU
  • 8/15: Updated the blog post to reflect that Aug 2023 SUs were re-released on 8/15/2023
  • 8/15: Added a link to the process of installing updates on management tools machine when there are no Exchange servers running
  • 8/15: Temporarily removed all download links
  • 8/9: Referenced Exchange Server 2019 and 2016 August 2023 security update installation fails on non-English operatin... in Known Issues section
  • 8/9: Added a command that will help you reset the state of your services if setup has already failed
  • 8/9: Added a known issue about non-English servers Setup issues and temporary removal of August SUs from Microsoft / Windows update

The Exchange Server Team

213 Comments
Co-Authors
Version history
Last update:
‎Oct 10 2023 10:11 AM
Updated by: