Blog Post

Exchange Team Blog
1 MIN READ

September 2023 release of new Exchange Server CVEs (resolved by August 2023 Security Updates)

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Sep 12, 2023

You may have noticed there were several new Exchange Server CVEs that were released today (a part of September 2023 ‘Patch Tuesday’). If you haven’t yet, you can go to the Security Update Guide and filter on Exchange Server under Product Family to review CVE information.

The CVEs released today were actually addressed in the August 2023 Exchange Server Security Update (SU). Due to the timing of validation of those fixes and release dates, we decided to release the CVEs as a part of September 2023 ‘Patch Tuesday’ release cycle. We know that many customers are accustomed to checking for Microsoft security releases on the second Tuesday of every month, and we did not want these CVEs to go unnoticed.

To summarize:

  • The Exchange Server CVEs released today can be addressed by installing the August 2023 SU (both v1 and the v2 re-release of Aug SU contained those fixes)
  • There is no separate Exchange Server SU for September 2023. If you have not yet installed the August 2023 SU, please do so now.
  • We have updated the Exchange Health Checker to reflect today’s CVEs. Remember to run Health Checker often to ensure that no additional steps are needed in your environment.

The Exchange Server Team

Updated Nov 13, 2023
Version 3.0
exchange 2016
exchange 2019
on premises
security

8 Comments

Sort By
  • SEANCHIU's avatar
    SEANCHIU
    Copper Contributor
    Oct 03, 2023

    HI !

    After update the latest SU (KB5030524) for our exchange 2019 cu12 last week, more and more users reported us that their outlook been frezze for  10-15 sec, and outlook back to normal.

    It happend random user /ramdom EDB or MBX Server and very hard to find the root cause. 

    Is there any one have the same issue like me? and would be very appreciate if there is any solutaion.

     

  • Vlad1310's avatar
    Vlad1310
    Copper Contributor
    Sep 17, 2023

    After install SU March and later, in our exchange server ews periodically stopped work and event log have error EventID:1309 ASP.NET 4.0.30319.0

    restarting the pool (MSExchangeServicesAppPool) helps solve the problem for a 3-5 days and error returned

     

    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 9/17/2023 4:31:10 PM
    Event time (UTC): 9/17/2023 1:31:10 PM
    Event ID: f02a79972c9047bdbdb85d7ca4b7194b
    Event sequence: 1
    Event occurrence: 1
    Event detail code: 0

    Application information:
    Application domain: /LM/W3SVC/2/ROOT/EWS-2817-133394310705321663
    Trust level: Full
    Application Virtual Path: /EWS
    Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\EWS\
    Machine name: EX01

    Process information:
    Process ID: 20608
    Process name: w3wp.exe
    Account name: NT AUTHORITY\SYSTEM

    Exception information:
    Exception type: TargetInvocationException
    Exception message: Exception has been thrown by the target of an invocation.
    at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
    at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark)
    at System.Activator.CreateInstance(Type type, Boolean nonPublic)
    at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark)
    at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
    at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture)
    at System.Web.HttpRuntime.CreateNonPublicInstance(Type type, Object[] args)
    at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList)
    at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext)
    at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
    at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
    at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
    at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

    The type initializer for 'Microsoft.Exchange.HttpProxy.Routing.RoutingUpdateModule' threw an exception.
    at Microsoft.Exchange.HttpProxy.Routing.RoutingUpdateModule..ctor()

    The type initializer for 'Microsoft.Exchange.VariantConfiguration.EventLog.VariantConfigurationEventLogger' threw an exception.
    at Microsoft.Exchange.VariantConfiguration.ExchangeConfiguration.CreateRuntime()
    at Microsoft.Exchange.VariantConfiguration.ExchangeConfiguration.get_CommonRuntime()
    at Microsoft.Exchange.VariantConfiguration.ExchangeConfiguration`1.CreateAndRegisterInstance()
    at Microsoft.Exchange.VariantConfiguration.ExchangeConfiguration`1.get_Instance()
    at Microsoft.Exchange.VariantConfiguration.Cafe.CafeConfiguration.GetSnapshot(IConstraintProvider constraintProvider, IConstraintCollection additionalConstraints, IEnumerable`1 overrideFlights)
    at Microsoft.Exchange.HttpProxy.Routing.RoutingUpdateModule..cctor()

    The type initializer for 'Microsoft.Exchange.Diagnostics.ExTraceConfiguration' threw an exception.
    at Microsoft.Exchange.Diagnostics.BaseTrace..ctor(Guid guid, Int32 traceTag)
    at Microsoft.Exchange.Diagnostics.Components.Common.ExTraceGlobals.get_EventLogTracer()
    at Microsoft.Exchange.Diagnostics.ExEventLogFactory.ExEventLog..ctor(Guid componentGuid, String sourceName, String logName)
    at Microsoft.Exchange.Diagnostics.ExEventLogFactory.<>c.<.cctor>b__4_0(Guid componentGuid, String sourceName, String logName)
    at Microsoft.Exchange.Diagnostics.ExEventLogFactory.Create(Guid componentGuid, String sourceName, String logName)
    at Microsoft.Exchange.VariantConfiguration.EventLog.VariantConfigurationEventLogger.InternalConfigure()
    at Microsoft.Exchange.VariantConfiguration.EventLog.VariantConfigurationEventLogger.CreateEventLogger()
    at Microsoft.Exchange.VariantConfiguration.EventLog.VariantConfigurationEventLogger..cctor()

    The type initializer for 'Microsoft.Exchange.Diagnostics.ETWTrace' threw an exception.
    at Microsoft.Exchange.Diagnostics.InternalBypassTrace.TraceDebug(Int32 lid, Int64 id, String formatString, Object[] args)
    at Microsoft.Exchange.Diagnostics.ConfigFileHandler.GetFilePath()
    at Microsoft.Exchange.Diagnostics.ConfigFileHandler..ctor(String key, String defaultFileName)
    at Microsoft.Exchange.Diagnostics.ConfigFiles.get_Trace()
    at Microsoft.Exchange.Diagnostics.ExTraceConfiguration..ctor()
    at Microsoft.Exchange.Diagnostics.ExTraceConfiguration..cctor()

    Not enough storage is available to complete this operation
    at Microsoft.Exchange.Diagnostics.DiagnosticsNativeMethods.CriticalTraceRegistrationHandle.RegisterTrace(Guid provider, TraceGuidRegistration& guidRegistration, ControlCallback callback)
    at Microsoft.Exchange.Diagnostics.ETWTrace.RegisterGuid(EtwTraceGuids& traceGuids, CriticalTraceRegistrationHandle& regHandle, ControlCallback callback, IntPtr& eventHandle)
    at Microsoft.Exchange.Diagnostics.ETWTrace.StartTraceSession()
    at Microsoft.Exchange.Diagnostics.ETWTrace..ctor()
    at Microsoft.Exchange.Diagnostics.ETWTrace..cctor()



    Request information:
    Request URL: https://host/EWS/Exchange.asmx
    Request path: /EWS/Exchange.asmx
    User host address: ip address
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name: NT AUTHORITY\SYSTEM

    Thread information:
    Thread ID: 421
    Thread account name: NT AUTHORITY\SYSTEM
    Is impersonating: False
    Stack trace: at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
    at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark)
    at System.Activator.CreateInstance(Type type, Boolean nonPublic)
    at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark)
    at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
    at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture)
    at System.Web.HttpRuntime.CreateNonPublicInstance(Type type, Object[] args)
    at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList)
    at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext)
    at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
    at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
    at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
    at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)


    Custom event details:

  • Nino_Bilic's avatar
    Nino_Bilic
    Icon for Microsoft rankMicrosoft
    Sep 13, 2023

    AnilD209 There is no difference in the payload of Aug v1 and v2 fixes (other than the setup issue was resolved in v2). So if v1 was installed, you are still covered as far as all of the CVEs released in September are concerned, yes.

    EDIT: Now added this in the blog post above.

  • AnilD209's avatar
    AnilD209
    Copper Contributor
    Sep 13, 2023

    There were 2 patches released in August. first one on 8th August and another one on 15th of August.

    Are we covered for the September CVEs if we have installed 8th August patch on the servers or do we need to install the one released on 15th August.

  • Nino_Bilic's avatar
    Nino_Bilic
    Icon for Microsoft rankMicrosoft
    Sep 12, 2023

    Deleted Unclear what you are asking. There are no Exchange Server updates for September. August 2023 SUs are it.

    For other product, our recommendation would be to stay up to date, just as with Exchange.

  • Deleted's avatar
    Deleted
    Sep 12, 2023

    https://www.cve.org/CVERecord?id=CVE-2023-36794  

    Just do the update as soon as possible - is this a good approach in this case?