Update 10/10/2023: Our recommendation to address CVE-2023-21709 is now changed; please see the changes below.
Update 9/12/2023: As a part of the September 2023 "Patch Tuesday" we have released a few more Exchange Server CVEs. They were all addressed in our August 2023 SU (more information here). If you did not install August SUs yet, please do so now.
Microsoft has released Security Updates (SUs) for vulnerabilities found in:
SUs are available for the following specific versions of Exchange Server (download links are updated for re-released SUs):
The August 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
Steps needed to address CVE-2023-21709
To address CVE-2023-21709, our updated recommendation is for administrators to install October 2023 Windows Security Updates on all of their Exchange Servers. Please see October 2023 Security Update announcement for more information.
Support for change of default encryption algorithm in Microsoft Purview Information Protection
This section applies only to our customers who use Exchange Server and either Azure or AD Rights Management Service (RMS). If you do not know what that is, Exchange Online CBC encryption changes should not apply to you:
As announced in the Encryption algorithm changes in Microsoft Purview Information Protection blog post, Exchange Server August 2023 SUs contain updates that enable customers who use Exchange Server on-premises to continue decrypting content protected by Purview sensitivity labels or Active Directory Rights Management Services. Please review that blog post for details and timelines and read AES256-CBC support for Microsoft 365 documentation.
If your organization is impacted by this change, after installing the August SU on your Exchange servers, see this KB article. Please note – this step is not needed unless your on-premises servers require support for AES256-CBC.
The following update paths are available:
Known issues with this release
Issues resolved in this release
Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.
The last SU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this blog post for more information.
Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.
We still use Exchange Server 2013 on-premises to host mailboxes. Can we have an update for Exchange Server 2013 to support the new Microsoft 365 AES256-CBC encryption standard?
Exchange Server 2013 is out of support and will not receive any further security updates. We do not perform any vulnerability testing against this version of Exchange anymore. Exchange Server 2013 is likely vulnerable to any vulnerabilities disclosed after April 2023 and you should migrate to Exchange Server 2019 or Exchange Online as soon as possible and decommission Exchange Server 2013 from your environment.
Documentation may not be fully available at the time this post is published.
Blog post updates:
The Exchange Server Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.