cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Released: May 2021 Exchange Server Security Updates
By
The_Exchange_Team
Published May 11 2021 09:54 AM 104K Views
The_Exchange_Team
Microsoft
‎May 11 2021 09:54 AM

Released: May 2021 Exchange Server Security Updates

‎May 11 2021 09:54 AM

Microsoft has released security updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These updates are available for the following specific builds of Exchange Server:

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU19 and CU20
  • Exchange Server 2019 CU8 and CU9

The May 2021 security updates for Exchange Server address vulnerabilities responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Known issues in May 2021 security updates

During the release of April 2021 SUs, we received some reports of issues after installation. The following issues reported for April 2021 SUs also apply to May SUs and have the following workarounds:

  • Administrator/Service accounts ending in ‘$’ cannot use the Exchange Management Shell or access ECP. The only workaround at this time is to rename Admin accounts or use accounts with no ‘$’ at the end of the name.
  • Some cross-forest Free/Busy relationships based on Availability address space can stop working (depending on how authentication was configured) with the error: “The remote server returned an error: (400) Bad Request.” Please see this KB article for how to work around this problem.
  • After application of the Exchange Server April or May security updates, cmdlets executed against the Exchange Management Console using an invoked runspace might fail with the following error message: The syntax is not supported by this runspace. This can occur if the runspace is in no-language mode. Please see this KB article for more information.

Additional fixes in May 2021 security update

In addition to the fixes for the vulnerabilities, we also fixed an issue with the version info that is returned in the protocol response headers. Prior to this release, the version information in the protocol response headers was incomplete and inaccurate. We have fixed this in the May 2021 security updates and now admins can correctly validate the security patch status of servers.

Update installation

Two update paths are available:

May21SU.jpg

Inventory your Exchange Servers

Use the Exchange Server Health Checker script (use the latest release), to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU. Then click the “Tell me the steps” button, to get directions for your environment.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

FAQs

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the May 2021 security updates do need to be applied to your on-premises Exchange Server, even if it is used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do the May 2021 security updates contain the April 2021 security updates for Exchange Server?
Yes, our security updates are cumulative. Customers who installed the April 2021 security updates for supported CUs can install the May 2021 security updates and be protected against the vulnerabilities that were disclosed during those months.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

Updates to this post:

  • 5/12: Added (and removed) a note about manual steps needed to address CVE-2021-1730; this CVE is from February 2021, and a few of our customers mentioned that Health Checker script is now calling out manual steps needed. Please see CVE details for more information.
  • 5/11: Clarified the wording around protocol response header

The Exchange Team

24 Comments
Vinch_BE
Copper Contributor
‎May 11 2021 11:36 PM
‎May 11 2021 11:36 PM

Hello,

Can you clarify why we need to patch an Exchange hybrid only use for management purpose ?

( We are using multiple hybrid servers for many customers without any inbound connection from internet. )

So the exploit cannot be run from internet.

In this situation I understand that I need to patch but not in an emergency way ( as it was the case in March).

Thanks for your clarification.

 

sjhudson
Brass Contributor
‎May 12 2021 03:24 AM
‎May 12 2021 03:24 AM

@The_Exchange_Team 

Patch Tuesday first, or May 2021 security updates first?

 

0 Likes
Like
Test-RRR
Brass Contributor
‎May 12 2021 05:21 AM
‎May 12 2021 05:21 AM

The new version of Exchange Server Health Checker script tells something concerning "DownloadDomains". A additional Certificate is also necessity. As Certificates costs money thats not what I like to hear.  Additional i dont realy understand whatfor it is needed.

 

If the primary domain is contoso.com one should use something like download.contoso.com as additional domain.

 

- If you have more than one Maildomains do you still need only one additional domain or one each?

- will that necessity be gone whith the next CU (Exchange 2016 CU21 in my Case)?

 

 

Michael Hincapie
Iron Contributor
‎May 12 2021 07:26 AM
‎May 12 2021 07:26 AM

@The_Exchange_Team Thank you for the clear information!

0 Likes
Like
null null
Brass Contributor
‎May 12 2021 08:25 AM
‎May 12 2021 08:25 AM

Hello

 

Regarding the new health checker, there are few bugs that need to be sorted out

I do have Exchange 2016 CU19 with all available sec patches installed, but your script reports CU18 incorrectly but then shows all CU19 sec updates correctly

as per below from running your script:

 

Hardware/OS/Exchange Information:
Hardware Type: VMWare
Operating System: Microsoft Windows Server 2016 Standard
System up since: 23 day(s), 23 hour(s), 50 minute(s), 10 second(s)
Time Zone: Eastern Standard Time
Exchange: Exchange 2016 CU18
Build Number: 15.1.2176.2
Exchange IU or Security Hotfix Detected
Security Update for Exchange Server 2016 Cumulative Update 19 (KB4602269)
Security Update for Exchange Server 2016 Cumulative Update 19 (KB5000871)
Security Update for Exchange Server 2016 Cumulative Update 19 (KB5001779)
Server Role: Mailbox

 

Page file issue as per your script

Pagefile Settings:
Pagefile Size: Page file is set to (32778) which appears to be More than the Total System Memory plus 10 MB which is (32777) this appears to be set incorrectly. --- Warning: Article: https://docs.microsoft.com/en-us/exchange/exchange-2013-sizing-and-configuration-recommendations-exc...
Note: We are calculating the page file size based off the WMI Object Win32_ComputerSystem. This is what is available on the OS.

 

If my memory serves me well, 32GB is 32768 PLUS 10MB which would be 32778, kinda silly error

 

no longer any info about certificates installed on the system, as well as you were never showing type of the certificate SHA1 or SHA2, which would be helpful to some Exchange admins

 

Multiple active network adapters detected. Exchange 2013 or greater may not need separate adapters for MAPI and replication traffic. For details please refer to https://docs.microsoft.com/en-us/exchange/planning-for-high-availability-and-site-resilience-exchang...

 

why flag this in yellow as a big warning? we have been running in this config for years with no issues

 

NIC Power Saving: Not configured --- Warning: It's recommended to disable NIC power saving options

both  my network adapters have everything turned off under properties->Power Management settings, unless there is another way to turn it off, and if there is I would like to know where is this setting located.

 

that's all for now, thanks

0 Likes
Like
Nino Bilic
Microsoft
‎May 12 2021 09:44 AM
‎May 12 2021 09:44 AM

@Vinch_BE - a server that is running on premises when hybrid is an actual Exchange server (Exchange services are running). We are calling this out not because those servers are specifically vulnerable; rather - people might forget that they are Exchange servers too, are running Exchange services and as such need to be updated; that's all.

 

@sjhudson - they are actions that do not depend on each other; do what you'd usually do. Exchange can take updates independently from Windows updates.

 

0 Likes
Like
David_Paulson
Microsoft
‎May 12 2021 10:10 AM
‎May 12 2021 10:10 AM

@null null The reason why the Exchange Health Checker is reporting an incorrect version of Exchange is because you need to download the latest version. If you don't update the Health Checker, it can't correctly report the latest versions of Exchange. Download the latest version here: https://aka.ms/ExchangeHealthChecker 

 

@Test-RRR The Exchange Health Checker calls out Security Vulnerabilities that are posted under Vulnerabilities - Security Update Guide - Microsoft. For the CVE-2021-1730, it provided that you needed to take additional steps to protect against this vulnerability besides just installing the update. We then added those checks, based off what is in the article, within the script to help call this out to allow admins to be aware if they are still vulnerable or not. 

0 Likes
Like
null null
Brass Contributor
‎May 12 2021 10:57 AM
‎May 12 2021 10:57 AM

Have the latest version running 2.44.7, even the previous versions worked just fine :)

0 Likes
Like
David_Paulson
Microsoft
‎May 12 2021 11:18 AM
‎May 12 2021 11:18 AM

@null null That isn't the latest version, hence why I provided to upgrade it. That version is from Oct 26th, 2020. There has been multiple releases since that date. CU19 was released in Dec, so there is no way for that version of the script to know of CU19. 

 

The latest release as of right now is v21.05.11.1059. 

0 Likes
Like
Nino Bilic
Microsoft
‎May 12 2021 11:24 AM
‎May 12 2021 11:24 AM

@null null What might help understand the versioning difference etc. is this: Exchange Health Checker has a new home - Microsoft Tech Community

0 Likes
Like
null null
Brass Contributor
‎May 12 2021 11:50 AM
‎May 12 2021 11:50 AM

sorry about that

running the latest version i hope, Exchange Health Checker version 21.05.11.1059

 

few things i found when running the script

under:

Frequent Configuration Issues
-----------------------------
TCP/IP Settings: 900000
RPC Min Connection Timeout: 120
More Information: https://blogs.technet.microsoft.com/messaging_with_communications/2012/06/06/outlook-anywhere-networ...

 

RPC is set to 120 seconds in registry so why not green as TCP/IP Settings? is there another more preferred value?

 

Certificates are being listed, but it wold be nice to see if the cert is SHA1 or SHA2, i know this old news but it would help some exchange admins

 

other than that it looks good. Thanks

0 Likes
Like
Nino Bilic
Microsoft
‎May 12 2021 12:20 PM
‎May 12 2021 12:20 PM

@null null Thanks, good to hear that got sorted; as far as your suggestions go, do you mind providing the feedback via one of the methods mentioned here? We are kind of crossing the streams now... :)

0 Likes
Like
null null
Brass Contributor
‎May 12 2021 02:02 PM
‎May 12 2021 02:02 PM

@Nino Bilic will do, thanks

fw888888
Copper Contributor
‎May 12 2021 11:32 PM
‎May 12 2021 11:32 PM

March SU, April SU, now May SU, you do work very hard, MSFT.  I haven't finishing installing April SU until now. Please do me a favor, please don't release SU so frequently. As a email admin, my only job now is installing SU. Thanks.

0 Likes
Like
DaveShackelford
Copper Contributor
‎May 13 2021 08:44 AM
‎May 13 2021 08:44 AM

So far I've seen two Exchange servers (both 2016) at unrelated organizations in the last 24 hours that have run this update and then had this problem:

Information Store won't start.
AD Topology Service won't stop.

None of the relevant services were disabled--they just wouldn't start or stop.
Problems starting other services like Service Host.

The only fix was to restore from backup and block the patch.
In the environment I had direct access to, they were running Avast and Huntress on the server.

Are other people seeing this?

KarolGubani
Copper Contributor
‎May 14 2021 12:09 AM
‎May 14 2021 12:09 AM

Hi,

@The_Exchange_Team thank you for the information provided. Just to double check. If we applied April 2021 security patch to  Exchange 2016 CU19 and are planning to upgrade to CU20, then we should be good to just apply May 2021 security patch without the need to reapply previous security patches ? Thanks again.

0 Likes
Like
NorbertFe
Copper Contributor
‎May 19 2021 02:41 AM
‎May 19 2021 02:41 AM

@The_Exchange_Team  Regarding the question for download domains, would it be a "good idea" to set this to the already existing autodiscover name? As I understand it, it just have to be a different location than the OWA URL from that the inline images would be downloaded, right? This feature isn't that good documented at all. Would be nice to have a bit more to go for.

 

Regards

Norbert

Sam_T
Iron Contributor
‎May 20 2021 07:22 PM
‎May 20 2021 07:22 PM

@DaveShackelford  Haven't seen these issues but since applying KB5003435 on an Exchange 2019 CU9 server in a small test environment we've been seeing intermittent and inexplicable delayed message delivery. This includes messages sent internally  between Exchange mailboxes in the same database.  First time seeing this and this server has been on every CU since Exchange 2019 RTM. Anyone else seeing any issues after the application of KB5003435?

 

For the problem you saw, are all of the Microsoft recommended file/folder/process antivirus exclusions in place?

0 Likes
Like
Brian Gallup
Copper Contributor
‎May 25 2021 11:14 AM
‎May 25 2021 11:14 AM

Does anyone else have any issues with these updates when you first launch them taking forever on Calculating Space Requirements? What is it actually checking and is there any way to speed it up? We have multiple servers to update and this just adds way too much time. It takes around 10-15 minutes on most servers. And they have plenty of free space. 

0 Likes
Like
Sam_T
Iron Contributor
‎May 31 2021 09:40 PM
‎May 31 2021 09:40 PM

@Nino Bilic Hello Nino. KB5003435, like KB5001779 and KB5000871 before it, is not visible by running get-hotfix or by looking for updates in WAC when installed on a Windows 2019 Core server.   This is not a problem with other Windows Server security hotfixes - only with Exchange hotfixes.   This is an issue for administrators, installers, etc.  When will this be addressed?   Do you see the same thing on your Windows 2019 Core servers?

0 Likes
Like
Sam_T
Iron Contributor
‎Jun 01 2021 10:43 PM
‎Jun 01 2021 10:43 PM

@Nino Bilic Hello Nino. KB5003435, like KB5001779 and KB5000871 before it, is not visible by running get-hotfix or by looking for updates in WAC when installed on a Windows 2019 Core server.   This is not a problem with other Windows Server security hotfixes - only with Exchange hotfixes.   This is an issue for administrators, installers, etc.  When will this be addressed?   Do you see the same thing on your Windows 2019 Core servers?

0 Likes
Like
Sam_T
Iron Contributor
‎Jun 04 2021 06:41 AM
‎Jun 04 2021 06:41 AM

@Nino Bilic Hello Nino. KB5003435, like KB5001779 and KB5000871 before it, is not visible by running get-hotfix or by looking for updates in WAC when installed on a Windows 2019 Core server.   This is not a problem with other Windows Server security hotfixes - only with Exchange hotfixes.   This is an issue for administrators, installers, etc.  When will this be addressed?   Do you see the same thing on your Windows 2019 Core servers?

0 Likes
Like
cave_diver
Copper Contributor
‎Jul 16 2021 01:46 AM
‎Jul 16 2021 01:46 AM

Having the same issue with the May SU KB5003435 not getting installed on multiple servers (Desktop version) both with Exchange Server 2016 and 2019. The underlying CU requirements are ok on all machines, still the update wasn't installed via Window Update (unlike the April version).
Does anyone know if this is being addressed by Microsoft?

0 Likes
Like
EandJ1590
Copper Contributor
‎Aug 27 2021 05:28 AM
‎Aug 27 2021 05:28 AM

I updated to Exchange 2016 CU21 (15.01.2308.008) few weeks ago, does this mean I’m already covered?

0 Likes
Like
Co-Authors
Version history
Last update:
‎May 12 2021 02:31 PM
Updated by: