Microsoft has released Security Updates (SUs) for vulnerabilities found in:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.
SUs are available for the following specific versions of Exchange Server:
- Exchange Server 2013 CU23 (note that support and availability of SUs end on April 11, 2023)
- Exchange Server 2016 CU23
- Exchange Server 2019 CU11 and CU12
The March 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating Exchange servers in their environment, and if applicable, installing the security update for Outlook on Windows described below.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
Awareness: Outlook client update for CVE-2023-23397 released
There is a critical security update for Microsoft Outlook for Windows that is required to address CVE-2023-23397. To address this CVE, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform). Please see the MSRC blog post about this vulnerability for more details.
But if your mailboxes are in Exchange Online or on Exchange Server, after installing the Outlook update, you can use a script we created to see if any of your users have been targeted using the Outlook vulnerability. The script will tell you if any users have been targeted by potentially malicious messages and allow you to modify or delete those messages if any are found. Please also check script FAQ.
The script will take some time to run, so we recommend prioritizing user mailboxes that are of higher value to attackers (e.g., executives, senior leadership, admins, etc.).
Please note that Exchange Server March 2023 SUs contain a "defense in depth" change that removes the value of the property that can be exploited on unpatched Outlook for Windows clients for messages that are newly delivered to user mailboxes. No admin action is necessary other than installing March 2023 (or later) SU.
Defenders can also read Guidance for investigating attacks using CVE-2023-23397 from Microsoft Incident Response (IR) team.
The following update paths are available:
Known issues with this release
- There are no known issues with this release
Issues resolved in this release
What is the relationship of Exchange Server March 2023 SU and Outlook fix for CVE-2023-23397?
Those two updates are independent from each other. Exchange SUs address Exchange vulnerabilities and security improvements (including a defense in depth update related to CVE-2023-23397). We mentioned the Outlook CVE-2023-23397 update in the Exchange March SU release post to raise the awareness to our customers, as we know most use Outlook for Windows. Exchange March SU does not address CVE-2023-23397 (as it is a client vulnerability), you must install Outlook update to address this vulnerability in Outlook.
Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but Exchange SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing the March 2023 SU, you should re-run the Hybrid Configuration Wizard. Please note that we recommend all our customers (on-premises, hybrid or online) install Outlook updates.
The last SU we installed is a few months old. Do we need to install all SUs in order, to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this blog post for more information.
Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers.
Updates to this post:
- 3/24/2023: Added a link to Guidance for investigating attacks using CVE-2023-23397.
- 3/24/2023: Corrected the statement about defense in depth Exchange fix; it does not apply only to messages sent from outside of the organization.
- 3/24/2023: Clarified the FAQ about relationship of Exchange and Outlook fixes
- 3/23/2023: Added a note mentioning the CVE-2023-23397 defense in depth fix included in Exchange Server March 2023 SUs (or later)
- 3/17/2023: Clarified the wording related to the need to remove the workaround for EWS crash, if customers applied it after installing February SU
- 3/16/2023: Added a link to CVE-2023-23397 script FAQ page
- 3/16/2023: Added "For customers using Exchange Server 2016 or 2019 (with no Exchange 2013) who have non-default applications installed through ECP add-ins, the ECP add-ins page might be broken after February SU is installed" under Issues Resolved. We expect that if there is no Exchange Server 2013 in the mix, add-ins will work with March SU installed.
- 3/15/2023: Added a clarification for installation of Outlook updates in the FAQ for Hybrid mode
- 3/15/2023: Added the "What is the relationship of Exchange Server March 2023 SU and Outlook fix for CVE-2023-23397?" FAQ pair.
- 3/15/2023: Added a link to Get-App and GetAppManifests fail and return an exception under issues resolved.
- 3/15/2023: Added a link to MSRC blog post with details about Outlook vulnerability.
- 3/14/2023: Clarified the wording about how and when to run Outlook vulnerability script.
- 3/14/2023: Removed the section "For some customers, who have non-default applications installed through ECP add-ins, the ECP add-ins page might be broken after February SU is installed" from Issues Resolved while investigating a report the issue is still not resolved.
The Exchange Server Team