Microsoft has released Security Updates (SUs) for vulnerabilities found in:
SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.
SUs are available for the following specific versions of Exchange Server:
Note: Build availability issues have been resolved. If your server downloaded the February SU via Windows/ Microsoft update before February 15 8 AM Pacific time, you might see the February update be offered again. Installing the updated package will bring your server forward to current February builds (verify using Health Checker after installation). The Download Center .exe update packages were (and still are) correct.
The February 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating Exchange servers in their environment.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
The following update paths are available:
Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing the February 2023 SU, you should re-run the Hybrid Configuration Wizard.
The last SU we installed is a few months old. Do we need to install all SUs in order, to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this update FAQ blog post for more information.
Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install Security Updates on all Exchange Servers as well as servers or workstations running Exchange Management Tools only, which will ensure that there is no incompatibility between management tools clients and servers.
Updates to this post:
The Exchange Server Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.