Released: July 2021 Exchange Server Security Updates

Published Jul 13 2021 10:32 AM 202K Views

Microsoft has released security updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

All versions (Cumulative Update levels) are impacted. Updates are available for the following specific builds of Exchange Server:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB article).

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU20 and CU21
  • Exchange Server 2019 CU9 and CU10

The July 2021 security updates for Exchange Server address vulnerabilities responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Latest /PrepareSchema needed for full effect

Because of additional security hardening work for CVE-2021-34470, the following actions should be taken in addition to application of July 2021 security updates:

The latest version of Exchange installed

Additional steps needed to extend AD schema

Exchange 2016 CU21 or
Exchange 2019 CU10

Nothing; schema was extended during installation of June 2021 CUs.

Exchange 2016 CU20 or
Exchange 2019 CU9

Extend the schema using June 2021 CUs.

Exchange 2013 CU23

- Install July 2021 Security Update for Exchange 2013

- Extend the Active Directory schema using the elevated Command prompt. Command will be similar to the following:

“Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” using the setup.exe from location “c:\Program Files\Microsoft\Exchange Server\V15\Bin\setup.exe” (use the folder for the installation location of your Exchange server)

NOTES:

- For Exchange 2013 only, schema version will not change after this.

- In case of Schema Master existing in an empty root domain, consider installing Exchange CU23 Management Tools on Windows 2012 R2 in the same domain, installing July SU and then running \prepareschema from that workstation.

Older versions of Exchange (earlier than 2013)

 

Or

 

Exchange no longer installed in the forest

How to update AD schema to address CVE-2021-34470 if Exchange is very old or no longer installed

Known issues in July 2021 security updates

During the release of April 2021 SUs, we received some reports of issues after installation. The following issues reported for April 2021 SUs also apply to July SUs and have the following workarounds:

  • Administrator/Service accounts ending in ‘$’ cannot use the Exchange Management Shell or access ECP. The only workaround at this time is to rename Admin accounts or use accounts with no ‘$’ at the end of the name.
  • Some cross-forest Free/Busy relationships based on Availability address space can stop working (depending on how authentication was configured) with the error: “The remote server returned an error: (400) Bad Request.” Please see this KB article for how to solve this problem.
  • Cmdlets executed against the Exchange Management Console using an invoked runspace might fail with the following error message: The syntax is not supported by this runspace. This can occur if the runspace is in no-language mode. Please see this KB article for more information.
  • Installing June 2021 Cumulative Updates for Exchange 2016 or 2019 might fail with the error: 

    System.NullReferenceException: Object reference not set to an instance of an object. Please see this KB article for resolution.

  • Starting with July 2021 updates, users might be redirected back to the login page when using OWA/ECP if organization uses Load Balancing. You should avoid running mixed pools (servers with the latest SU applied together with servers which have not yet received the update). Please see this KB article for more information.
  • Prior to installing the Security Update (SU), we recommend you check if a valid Microsoft Exchange Server Auth Certificate is present on every Exchange server (except Edge Transport servers). The easiest way to do this is to run the Exchange Health Checker and check for the Auth Certificate output:

July2021SUs03.jpg

You can also run the following PowerShell command to check if the Auth Certificate is available on your system:

Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint

If there is no Auth Certificate or it has expired, then follow the steps outlined here to configure it correctly.

Please note: In some environments, it may take an hour for the OAuth certificate to be published. If you have a hybrid setup, you have to run the Hybrid Configuration Wizard again to update the changes to Azure Active Directory (Azure AD). If this certificate is missing or is expired, users may face issues logging in to OWA/ECP with HTTP 500 error after application of July updates. KB article is here.

Update installation

Because of the recommended schema update requiring the latest set of June 2021 CUs, there are several scenarios that you might need to follow:

July2021SUs02.jpg

Inventory your Exchange Servers / determine which updates are needed

Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU. Then click the “Tell me the steps” button, to get directions for your environment.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

FAQs

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the July 2021 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

Instructions seem to indicate that for Exchange 2013, we should extend the schema after July 2021 SU is installed; is that correct?
Yes. Because we did not release an Exchange 2013 Cumulative Update (CU) that contains the new schema updates, the July 2021 SU package updates the schema files in Exchange server folders when July 2021 SU is installed. That is why once those files are updated (SU is installed) – we ask you to go and explicitly update the schema using setup from \v15\Bin folder.

We have Exchange 2016 CU20 and 2019 CU9 servers and have installed July 2021 security updates but did not run /PrepareSchema using June 2021 CUs first. Is this a problem?
No. Extension of AD schema using June 2021 CU is really a separate step that should be taken to address a specific CVE. There is no dependency in July 2021 SUs on this schema change, or vice versa. Just make sure that both of those actions are taken; order is not important.

Updates to this post:

  • 8/5: Added a link to How to update AD schema to address CVE-2021-34470 if Exchange is very old or no longer installed
  • 7/20: Merged "Installation tips" section into "Known issues" section and provided additional detail and links
  • 7/19: Added a note about updating servers in a Load Balancing (LB) pool
  • 7/15: Added a clarification that all CU levels of Exchange are impacted; we only release security updates for latest CUs only. Please see this for more information on update cadence.
  • 7/15: Added a note about how to extend schema in a root domain with no Exchange servers.
  • 7/15: Added a note that schema version does not change after schema extension if Exchange 2013 Server is the latest version in the org.
  • 7/15: Added the installation tips section and moved the info about OWA/ECP errors there.
  • 7/14: Added a note about what to do if OWA/ECP with HTTP 500 error is seen after application of SUs.
  • 7/13: Clarified the graphics to illustrate that Exchange Server 2016 CU20 and Exchange Server 2019 CU9 with July SUs are not 'fully' updated (because we released June CUs for both versions).

The Exchange Team

214 Comments
Co-Authors
Version history
Last update:
‎Aug 05 2021 01:07 PM
Updated by: