Released: March 2022 Exchange Server Security Updates
Published Mar 08 2022 10:06 AM 111K Views

Microsoft has released security updates (SUs) that resolve vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

IMPORTANT: When manually installing SUs, you must install the .msp file from an elevated command prompt (see the Known Issues area in the KB).

These SUs are available for the following specific builds of Exchange Server:

The March 2022 SUs for Exchange Server address vulnerabilities responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately.

These vulnerabilities affect on-premises Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any on-premises Exchange servers.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Update installation

Two update paths are available:

March2022SUpath.png

Inventory your Exchange Servers / determine which updates are needed

Use the latest version of the Exchange Server Health Checker script to inventory your servers. Running this script will tell you if any of your Exchange Servers need CUs or SUs.

Update to the latest Cumulative Update

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU to get update instructions.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, use the SetupAssist script. If something does not work properly after updating, see Repair failed installations of Exchange Cumulative and Security updates.

Known issues with this release

  • Modifying DAG network settings failing with error 0xe0434352 after January SUs are installed - fixed in the March SU but Set-DatabaseAvailabilityGroupNetwork continues failing
  • Customizing voicemail greetings might fail with error 0xe0434352 after January SUs are installed - not fixed in the March SU
  • MSExchangeServiceHost service may crash repeatedly with Event ID 4999 logged in Windows Application event log. Please see Exchange Service Host service fails after installing March 2022 security update (KB5013118).
  • Get-MailboxDatabaseCopyStatus command from Exchange 2013 server fails for databases hosted on Exchange 2016/2019 servers with following error:
    A server-side administrative operation has failed. Operation failed with message: Error 0xe0434352 (Unknown error (0xe0434352)) from RpccGetCopyStatusEx4
    Workaround: For Get-MailboxDatabaseCopyStatus error, run the Get-MailboxDatabaseCopyStatus command from Exchange 2016/2019 servers
  • Checking Exchange 2016/2019 database status from Exchange Admin Center may fail with HTTP 500 error or with "Your request couldn't be completed. Please try again in a few minutes."
    Workaround: Ensure the mailbox of admin is on Exchange 2016/2019 servers. If admin account has no mailbox, ensure all arbitration mailboxes, specially the “SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}”, are on Exchange 2016/2019 servers.

FAQs

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the March 2022 SUs do need to be applied to your on-premises Exchange Servers. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only the Management Tools role (no Exchange services) do not need these updates.

NOTE: This post might receive future updates; they will be listed here (if available).

Updates to this blog post:

  • 3/9: Added details about which previous issues are fixed. 
  • 3/10: Added details about the MSExchangeServiceHost service crash with this SU and the workarounds.
  • 3/16: Added a reference to KB5013118

 

The Exchange Team

143 Comments
Brass Contributor

Thanks for publishing the information. We are currently testing the update and will post findings here.

 

Update: We implemented the update on our managed environments and it all looks good (2019CU11 / 2016 CU22 and 2013CU23 - organizations including some hybrid and full on-prem DAGs). Currently we're finalizing some post installation "administative" (paperwork) tasks. The only thing is that during the installation process the HealthChecker.PS1 has been updated by MS although we downloaded the most recent version just before installing the SUs (Note: we always Run this script post installation as additional routine check).

 

Update 2 (march 17th): Today, we received an issue that in one of our environments (EXCH2019) attachments downloads doesn't work anymore in OWA. We run also other environments with various versions of Exchange and somehow one specific one has the issue. The others run also 2019, as wel 2016 and some 2013. We're not the only one with this issue > including my reply: https://techcommunity.microsoft.com/t5/exchange/owa-attachments-after-cve/m-p/3254283. Also our test 2019 environment doesn't have this issue. We did not notice this issue in any environment during update, unless we missed something.

Work-around > Temporary disable the CVE2021-1730 mitigations (Download Domains config). I will perform additional tests and troubleshoot later.

Copper Contributor

When is the next CU expected to be released?  If this month, will it include this SU?  Personally, I'd rather wait if the CU will be made available in 2 weeks or so.  Or are you only providing SUs going forward?

Microsoft

@toddnelson-work, we don't have any ETA to share for our next CU.  In the meantime, we recommend all customers install this SU as soon as possible. 

Copper Contributor

Thanks, @Scott Schnoll.

Copper Contributor

Does someone know, if the known issue about changing DAG network settings or customizing voicemail greetings is fixed in this update (see "Released: January 2022 Exchange Server Security Updates" - "Known issues with this release")?

Microsoft

@OliZu Yes, the known DAG ManualDagNetworkConfiguration issue has been fixed with this update.

Copper Contributor

@Lukas Sassl Great, thanks for the fast feedback

Brass Contributor

When I run the healthcheck script after the update I still see the threat. Exchange 2016 CU21 and Exchange 2013 CU23

Iron Contributor

Thank for the detailed information. We will start to apply them in our union environments

Microsoft

@Tonibert please check/share the Exchange build number (Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo}).

It should be 15.1.2308.27 for Exchange 2016 CU21 with March 2022 SU and 15.0.1497.33 for Exchange 2013 with the March 2022 SU.

Copper Contributor

The file table for Exchange 2019 CU11 found at https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-microsoft-exchange-... shows the versions at 15.2.922.27, but after patching the version is 15.2.986.22.

Brass Contributor

@Lukas Sassl 

Both are correct:

 

2016 CU 21  - 15.01.2308.027

2013 CU 23 -  15.00.1497.033

 

 

 

Microsoft

Thanks for reporting @JosephCasale.

Microsoft

@Tonibert can you drop me a PM? Thanks.

Brass Contributor

@Lukas Sassl 

I've sent you an email

Copper Contributor

We applied the patch to several Exchange 2013/2016 servers in our lab. The ECP is no longer working on any of the patched servers. I have opened a case with support. Are there reports of others having similar issues? Here is the error.

 

ECP_Error.PNG

 

 

Copper Contributor

Hi

 

After I installed the patch and rebooted, the service "Microsoft Exchange Service Host" keeps restarting several times every minute. The Microsoft Exchange Service Host service terminated unexpectedly.

When I uninstall the patch everything works as it should again. How can I proceed?

 

Kind regards, Patrick

Brass Contributor

Same issue like Patrick70 here on Exchange 2016 CU22, Exchange Service Host continously crashing:

 

Watson report about to be sent for process id: 53344, with parameters: E12IIS, c-RTL-AMD64, 15.01.2375.024, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, 545e-dumptidset, 15.01.2375.024.
ErrorReportingEnabled: False

 

Opening up a case now

Copper Contributor

Greetings,

 

As per Patrick70, we are also seeing issues with the Microsoft Exchange Service Host service faulting and restarting, again continuously. Uninstalling the SU does seem to resolve the issue but obviously isn;t a great situation to be in. 

 

This is on our Exchange 2013 CU23 fully updated DAG servers. 

 

EventID: 4999

Source: MSExchange Common

Watson report about to be sent for process id: 40372, with parameters: E12IIS, c-RTL-AMD64, 15.00.1497.033, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, f618, 15.00.1497.032.
ErrorReportingEnabled: True

 

Any update would be greatly appreciated.

 

Best wishes, Caleb

Copper Contributor

We have a DAG with Exchange 2016 CU 22.

Brass Contributor

Re-posting as it seems my previous post wasn't posted properly:

 

same issue like Patrick70 and Caleb here on Exchange 2016 CU22, same Event like Caleb shared. Uninstalling now & opened a Sev. A

@Patrick70

Please do the following action, it should resolve the issue:

  • Replace any expired certificate on the system
  • Renew any certificate that expires in <= 30 days
Brass Contributor

@Bhalchandra_Atre-MSFT: removed expired certs, issue still there. Please note, the P2P certs which are automatically maintained do always have an expiration date of +1 day so cannot replace this manually

Copper Contributor

Thank you for the reply @Bhalchandra_Atre-MSFT Our oldest certificate does not expire until january 2023.

 

Kind regards, Patrick

Brass Contributor

We got issues after installing the security update on Exchange 2016. 

It's quite strange because some mailboxes cannot receive or send emails but other mailboxes hosted on same mailbox database (so same server)  there is no issues...

 

We can see many Watson errors in Application event log for different Exchange processes.

 

We are currently uninstalling the SU on all of our Exchange 2016 servers and we hope it will fix our issues...

 

Copper Contributor

We have an issue after installing KB5012698 on EX2016CU21

MSExchangeTransport
ID 1019
Failed to start listening (Error: 10048). Binding: 0.0.0.0:2525.

 

MSExchangeTransport
ID 1036
SmtpReceive
Inbound direct trust authentication failed for certificate %1. The source IP address of the server that tried to authenticate to Microsoft Exchange is [%2]. Make sure EdgeSync is running properly.

 

It looks like https://docs.microsoft.com/en-us/exchange/troubleshoot/mailflow/front-end-microsoft-exchange-transpo...

BUT

Identity Enabled TransportRole ProtocolLoggingLevel Bindings
-------- ------- ------------- -------------------- --------
EX2016\Default EX2016 True HubTransport None {0.0.0.0:2525, [::]:2525}
EX2016\Client Proxy EX2016 True HubTransport None {[::]:465, 0.0.0.0:465}
EX2016\Default Frontend EX2016 True FrontendTransport Verbose {[::]:25, 0.0.0.0:25}
EX2016\Outbound Proxy Frontend EX2016 True FrontendTransport Verbose {[::]:717, 0.0.0.0:717}
EX2016\Client Frontend EX2016 True FrontendTransport None {[::]:587, 0.0.0.0:587}
EX2016\anonymous relay True FrontendTransport None {0.0.0.0:25}

 

Seems to be OK. I rolled back for now…

Copper Contributor

same issue here like Patrick70, Caleb & Martin_Aigner.....

 

 

MS Exchange Service Host Service keeps crashing and restarting on our 2016 stand alone all-in-one.

 

I'd wait to apply SU to our 2019 DAG...

Brass Contributor

I have the following error after the update. On an Exchange 2016 DAG I can no longer see the status of the databases in the Exchange Control Panel.

Copper Contributor

Our Exchange 2013 servers are having the host service crash issue too. I did remove the one expired certificate I found, removed the security update and verified the host crashing had stopped. I rebooted then applied the latest security patch again and the host crashing resumed. 

 

3/11 Update: I just completed the System Mailbox clean up steps that were added yesterday and the host service has stopped crashing now. I'm going to proceed with updating my remaining servers.

Copper Contributor

Same here on Exchange 2016. 
Exchange Service Host keeps crashing.
Removing the expired certificate + reboot does not help.
Uninstalling the update right now.... 

What a mess MS....

Brass Contributor

Hello all. We applied the patch in several environments, no issues at all as far as I can see (see my post on top of the page). We run environments (managed customers) with Exchange versions 2013 > 2019. Some single setups, some DAG and/or some mixed with Hybrid or management only. We regularly had problems with the last 2013 environment in our control, but this time it all went smooth on those. All our OS's are up to date to the feb updates. Usually we update Exchange service earlier then the OS itself, will be done by the "SCCM update schedule". Most all the orgs run Exchange Servers are running 2019 btw.

Brass Contributor

@Lukas Sassl 

Thank you, the current script now works for me with Exchange 2013 CU23 and Exchange 2016 CU21.

Copper Contributor

@OliZu 
@Lukas Sassl : I can confirm that the issue with configuring ManualDagNetworkConfiguration seems to be fixed in March SU. But, configuring DAG Network Settings still throws the same error:

Set-DatabaseAvailabilityGroupNetwork -Identity DAG01\ReplicationDagNetwork01 -ReplicationEnabled:$false -IgnoreNetwork:$true
A server-side administrative operation has failed. Operation failed with message: Error 0xe0434352 (Unknown error (0xe0434352)) from cli_SetDagNetwork [Server: xxxxxxxxxxxxxx]

@Tonibert Do you have Exchange 2013 server in the environment as well? If yes, make sure the mailbox for admin account is on Exchange 2016 servers

Brass Contributor

@Bhalchandra_Atre-MSFT 

Yes, I have. I will check that. Thank you

Brass Contributor

Our domain wildcard certificate is about to expire on 04/06/2022 and we are receiving event logs notifying that the certificate will expire soon. But we had no crash so far. The other certificates (created by Exchange on setup) are still valid for a long period of time. The expiry notifications about our certificate were already present as we installed the SU last tuesday. Server runs fine at the moment.

Should we expect failure of the server soon, or do we have some time to renew our certificate in the next days?

Is there anything we should keep in mind this time when we change the certificate? Could we trigger that crash if we replace the certificate with a new one, or should we wait for a fix from MS (but then, this fix should arrive before 04/06/2022)..?

@HaileSelassie876 the Set-DatabaseAvailabilityGroupNetwork will be fixed in upcoming updates.

Copper Contributor

Hello MS - as for HOST service issue...

Your workaround will not work in case there is an old Federation cert in place (Exch2013), which is 'must to have' according to your (full) article here

and the following note from it:

exch2013-fed.png

 

 

Any ideas how to get out of such situation with installed update?

Copper Contributor

Thanks for confirmation and your feedback @Bhalchandra_Atre-MSFT - In case a hotfix would be available prior to the next update, I would be highly interested.

Copper Contributor

Hi,

Same problem as above with host service crashing.

Copper Contributor

Hi guys, so even if we don't have a certificate expiring soon. Do we still have to run the following commands as below, before carrying out the security update as the instructions are not clear.  We have an Exchange 2016 server in standalone mode on CU22? Many thanks

 

 

no1welshboyo_0-1647004224711.png

 

Copper Contributor

My issue with the ECP was resolved. Fiddler showed the wrong backend server was being used for the mailbox. An IIS reset on the server that was incorrect fixed the issue. 

Copper Contributor

I too am wondering if this expired (or soon to expire) cert issue will come up later or if this is only during the SU install. We are running Exchange 2013. 

Brass Contributor

Hello,

 

We already installed the March 2022 SU on our exchange 2016 CU22 server .

We have a certificate which will expire the 22/05/2022.

 

Should we renew already this certificate now to avoid issue ? or as we already installed the SU , we will not get any issue ?

 

Thanks

 

Copper Contributor

We installed the latest SU wednesday evening. Have a cert expires 8th of april and problems started today.

Copper Contributor

We have a customer with a single Exchange 2016 server, at CU22. Installed the SU and ever since the OWA is painfully slow. We've done multiple reboots and IISresets. So far, no change.

Anyone else seeing anything similar?

Brass Contributor

@notrace "We installed the latest SU wednesday evening. Have a cert expires 8th of april and problems started today."

 

What kind of certificate do you have? Is it one of the certificates Exchange did create on setup, or a certificate of your mail-domain?

 

We are using a wildcard certificate for our mail-domain and it is about to expire on April 6th. We already had log entries about cert warning to expire BEFORE the SU installation on tuesday. Server is still running w/o issues. So I am trying to figure out what kind of certificate is triggering this issue. So I want to know if it is one of the certificates created during installtion of exchange.

 

Just about to get a new wildcard, but I am not sure if I should try to change our wildcard with the new one. I want to avoid triggering a crash during cert.-change. Don't know what would be best for our server at the moment...

Copper Contributor

Service Host Service crashing seems to have stopped before midnight 3/10 Pacific time. Fingers crossed.

Brass Contributor

@MauriceLui  what did you do? ...or stopped it magically ;) ? did you had an expired or soon-to-be-expired certificate installed?

Copper Contributor

@Duncan1528 Done nothing, it just stopped crashing all by itself magically 24 hours after the update. Yes, we do have a handful of expired and soon to be expired certificates. They are not removed yet.

Co-Authors
Version history
Last update:
‎Mar 16 2022 08:54 AM
Updated by: