Released: March 2024 Exchange Server Security Updates
Published Mar 12 2024 10:06 AM 180K Views

Update 4/23/2024: We have now released April 2024 Hotfix Updates which address known issues in March 2024 SU updates.

Microsoft has released Security Updates (SUs) for vulnerabilities found in:

  • Exchange Server 2019
  • Exchange Server 2016

SUs are available for the following specific versions of Exchange Server:

  • Exchange Server 2019 CU13 and CU14
  • Exchange Server 2016 CU23

The March 2024 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).

Security Advisory ADV24199947 information

After you install this security update, Exchange Server no longer uses Oracle Outside In Technology (also known as OutsideInModule or OIT). OIT performs text extraction operations when processing email messages that have attachments in Exchange Transport Rule (ETR) and Data Loss Prevention (DLP) scenarios.

For more information, see The OutsideInModule module is disabled after installing the March 2024 SU.

Update installation

The following update paths are available:

Mar2024SUs.jpg

Known issues with this release (please see April 2024 Hotfix Update for resolution):

FAQs

Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.

The last SU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this blog post for more information.

Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.

Documentation may not be fully available at the time this post is published.

Blog post updates:

  • 4/23/2024: Added a banner and links to April 2024 Hotfix Updates which address known issues with March 2024 SU
  • 4/5/2024: Added a known issue with published calendars.
  • 3/28/2024: Added a known issue where some add-ins are not working properly.
  • 3/22/2024: Added a 'yellow envelope icon' issue to known issues.
  • 3/14/2024: Added a workaround for the Outlook Search issue that some environments (not all) can experience.

The Exchange Server Team

369 Comments
Co-Authors
Version history
Last update:
‎Apr 23 2024 10:22 AM
Updated by: