Released: October 2021 Exchange Server Security Updates
Published Oct 12 2021 10:00 AM 56.1K Views

Microsoft has released security updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These updates are available for the following specific builds of Exchange Server:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (do not choose Run after download).

  • Exchange Server 2013 CU23 (Exchange 2013 customers might also need to /prepareschema. Please see this post.)
  • Exchange Server 2016 CU21 and CU22
  • Exchange Server 2019 CU10 and CU11

The October 2021 security updates for Exchange Server address vulnerabilities responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Update installation

Two update paths are available:

October2021SUpath2.jpg

Inventory your Exchange Servers / determine which updates are needed

Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU to get directions for your environment.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

FAQs

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the October 2021 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

NOTE: This post might receive future updates; they will be listed here (if available).

The Exchange Server Team

22 Comments
Copper Contributor

Impossible to install

file are used by microsoft filtering management service (but service is disabled)

 

either throug win update nor manually (admin prompt)

Thanks

Copper Contributor

Please share some your details? What was OS platform and Exchange? So far we cannot replicate that behaviour. 

 

Copper Contributor

After install the update on Exchange 2013, i have a problem with access to OWA/ECP, like this 

https://support.microsoft.com/it-it/topic/impossibile-accedere-a-owa-o-ecp-dopo-l-installazione-di-e...

 

have a solution?

Copper Contributor

In case of Exchange 2013 with October 2021 security updates installed without running the /PrepareSchema using July 2021 CUs first. Is it supported to update the schema after installing the October security update by using the command "Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms". Or is it needed to uninstall the October updates first?

Copper Contributor

@andreasoc2350 

I think you have that issue if you don't run the update from an elevated/admin command prompt?

Copper Contributor

@DanielEarl  the installation was successful, but after that, I came up with the problem I indicated.

Copper Contributor

@andreasoc2350 Yes, the update will appear to install properly (it will complete) but you will see those OWA/ECP errors and it's because the update hasn't been run with sufficient privs. If you run the update again, but from an elevated cmd/ps session, I think it's likely to run properly and you won't get the errors.

 

See the section in the article above:

 

"IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (do not choose Run after download)."

 

If you already did that, then sorry I am not sure.

Copper Contributor

For resolve problem with ecp and owa, is necessari to rebind certificare in back end site in iis. After that do a iisreset and all it's ok

Copper Contributor

@DanielEarl  i installed with privilege correct! 

Copper Contributor

I am just experiencing issues with the SU and Exchange Server 2013 CU23 on Windows Server 2012 R2.

The Exchange Services are taking forever to start up. Installation was done with an elevated Shell.

Startup typ is "Automatic" but the services are taking much longer to start up.

 

Are you guys also experiencing those issues?

Brass Contributor

After updating the system on my end I am also seeing a problem with OWA

Windows 2012R2/ Exchange 2016 CU21 to CU22 with Security patch mentioned.

Issue:

When trying to login to OWA user keeps getting redirected to the login page.

Outlook and phones are working properly.

Solution:

https://support.microsoft.com/en-us/topic/you-can-t-access-owa-or-ecp-after-you-install-exchange-ser...

 

You might have to wait for 3 hours for OWA to start working again. 

Copper Contributor

I have seen dot net updates create problems very often. Better to have a pool of front ends.  These updates often breaks .. These updates also change to defaults .. Any custom configurations that you might have done will be over written . Better to keep a copy of your customized configuration 

Copper Contributor

I experience one problem with ECP some hours after update. Screenshot shows what I see after entering ECP. OWA works properly, all the certs are ok. Presented advices here are useless for me now. Honestly I don't know what to do.

 

UPD: solved. SU is not the reason of this problem.

ecp_1.png

Iron Contributor

@azotov Seeing the the same issue with /ecp

 

@The_Exchange_Team  Microsoft ?

Copper Contributor

@Sam_T My solution was to remove "HTTP Header" from IIS - "x-content-type-options". Then reload /ECP page with Ctrl+F5.

I found the solution here: Exchange 2016 - CU8 ECP - Only showing text (microsoft.com)

Copper Contributor

SOLVED:

I solved by following these two articles, the most accurate is that of spiceworks, that of microsoft was not precise on a step, that is, when you create the new certificate, you have to give U, so as not to assign the certificate already, but you have to do it later.
After applying the change, I waited a few hours for it to work, even if you reboot it doesn't change .. it needs a few hours, and now everything is working.

 

https://community.spiceworks.com/topic/2299094-exchange-2013-on-prem-microsoft-exchange-server-auth-...

https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/exchange-oauth-authentication-... 

 

thanks to all

Copper Contributor

Hi Exchange Team,

is /PrepareSchema required with this patch, if it was already done during July 2021 security patch install on 2013 CU23?

Thanks!

Copper Contributor

@dmdovnar is no required /PrepareSchema if already installed cu23.. i'm in the same situation .. 

Copper Contributor
dmdovnar 

 no, schema after July patching is the nevest one, no new schema extention is required. 

Copper Contributor

Dear The Exchange Team,

I had a problem installing KB5007012 for CU21 for Exchange server 2016. After initial troubleshooting I decided to install CU22 for Exchange Server 2016 rather than repeating to install the update concerned - hoped to overcome the problem in this manner. Checking for new updates on the server brings no new updates. Unfortunately keeps WSUS remind me to install KB5007012 (now for CU22 for Exchange server 2016). The link published in the WSUS brings me to your Tech Community site.

Any idea?

Copper Contributor

i have installed Security Update on Exchange Server 2019 CU11 using cmd prompt. unfortunately it is not showing up on my Exchange server Build. but upon checking the control panel > installed updates, the KB5007012 is already installed. will it reflect on the build number of the Exchange server?

Copper Contributor

I've installed on my Exchange 2013 CU23 this latest security update. our schema master is in an empty root domain. as per the instructions, i created a Windows 2012 R2 server in our root domain, installed just the Exchange 2013 CU23 Management tools on it, installed this latest security update aswell, but when i run from elevated command prompt to update Schema: Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms , i receive the below error:

 

C:\Program Files\Microsoft\Exchange Server\V15\Bin>Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

 

Microsoft Exchange Server 2013 Cumulative Update 23 Unattended Setup


The Exchange Server setup operation didn't complete. More details can be found
in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.

 

in the Exchange setup logs, i see this:

Operating system version: Microsoft Windows NT 6.2.9200.0.
[0] Setup version: 15.0.1497.24.
Logged on user: (removed user).
Command Line Parameter Name='prepareschema', Value=''.
Command Line Parameter Name='iacceptexchangeserverlicenseterms', Value=''.
Command Line Parameter Name='sourcedir', Value='C:\Program Files\Microsoft\Exchange Server\V15\Bin'.
RuntimeAssembly was started with the following command: '/PrepareSchema /IAcceptExchangeServerLicenseTerms /sourcedir:C:\Program Files\Microsoft\Exchange Server\V15\Bin'.
[0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\v8.0, wasn't found.
[0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14, wasn't found.
[0] Assembly dll file location is C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Setup.Console.dll
[0] [ERROR] Exception has been thrown by the target of an invocation.
[0] [ERROR] Could not load file or assembly 'Microsoft.Exchange.CabUtility.dll' or one of its dependencies. The specified module could not be found.
[0] CurrentResult SetupLauncherHelper.loadassembly:444: 1
[0] The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
[0] CurrentResult main.run:235: 1
[0] CurrentResult setupbase.maincore:396: 1
[0] End of Setup

 

I installed the management tools on this server using elevated command prompt and running this: Setup.exe /Role:ManagementTools /InstallWindowsComponents /IAcceptExchangeServerLicenseTerms pointing to the setup files for Exchange2013 CU23. rebooted server after aswell

 

Let me know how this can be resolved and i can update the Schema

 

Thank you

 

 

Co-Authors
Version history
Last update:
‎Oct 15 2021 11:46 AM
Updated by: