Because we are aware of active exploits of related vulnerabilities (limited targeted attacks), our recommendation is to install these updates immediately to be protected against these attacks.
The November 2022 SUs contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082).
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
The following update paths are available:
Install the latest CU. Go to Exchange Update Wizard and choose your currently running CU and your target CU to get directions.
Inventory your Exchange Servers to determine which updates are needed using the latest release of the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions). Re-run Health Checker after you install the SU to validate no further action is needed.
Exchange 2013 Queue Viewer tool might stop working after installation of November SU, with error
Type is not resolved for member 'Microsoft.Exchange.Diagnostics.BlockedDeserializeTypeException,Microsoft.Exchange.Diagnostics, Version=18.104.22.168, Culture=neutral, PublicKeyToken= Exeption type: System.Runtime.Serialization.SerializationExeption Two workarounds exist: if you have a higher version of the server (Exchange Server 2016 or 2019) you can connect to Exchange Server 2013 Queue Viewer from those. Alternatively, you can use Exchange Management Shell (EMS) on the updated Exchange Server 2013 to monitor queues.
Issues resolved by this release
Delivery Report search from ECP might fail with IIS logs showing SEC_E_BAD_BINDINGS in a cross-site scenario after enabling Extended Protection
Export-UMPrompt could fail with InvalidResponseException
We already applied mitigations for CVE-2022-41040 and CVE-2022-41082. Do we need to install this SU? Mitigations are not actual code fixes of specific vulnerabilities. Please install the November 2022 (or later) SU on your Exchange servers to address CVE-2022-41040 and CVE-2022-41082.
Do we have to remove mitigation for CVE-2022-41040 after installing the November 2022 (or later) SU? It is not necessary to remove mitigation already applied to your servers. Please note that if you are removing a mitigation, do it after Nov 2022 (or later) SU is installed and you have verified your server is fully up to date using the Health Checker script. To address different types of mitigations:
Applied by EEMS – if mitigation is manually removed, it will be re-applied again until we update the mitigation XML file in our service. We will update the list of mitigations released as soon as we start excluding the security fixed Exchange Server builds for this particular mitigation. Update: we have now modified the released XML file with mitigations so they will not be applied to servers which have been updated to November SUs. If you wish to remove the mitigations manually at this point, you can do so and EEMS will not re-apply them.
Applied manually – you could remove the mitigation manually by modifying IIS settings.
Applied using the EOMTv2 script – you could remove the mitigation using .\EOMTv2.ps1 -RollbackMitigation.
How does this SU relate to Extended Protection feature? If you already enabled Extended Protection on your servers, install the SU as usual. If you did not enable Extended Protection yet, our recommendation is to enable it after installing November (or any later) SU. Running Health Checker script will always help you validate exactly what you might need to do after SU installation.
The last SU that we installed is (a few months old). Do we need to install all SUs in order, to install the latest one? Our security updates are cumulative. If you are running the CU that the SU can be installed on, you do not need to install all the SUs in sequential order but can install the latest. Please see this blog post for more information.
Our organization is in Hybrid mode with Exchange Online. Do we need to do anything? Exchange Online is already protected, but the November 2022 SU needs to be installed on your Exchange servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard after installing these updates.
Updates to this post:
12/1: Mentioned that EEMS XML file with mitigation rules has been updated so mitigations will not be applied to servers that do not have mitigations yet and are running November SU (or newer)
11/14: Added a known issue with Exchange Server 2013 Queue Viewer, and workarounds