Released: November 2021 Exchange Server Security Updates
Published Nov 09 2021 10:01 AM 239K Views

Microsoft has released security updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These updates are available for the following specific builds of Exchange Server:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB article).

The November 2021 security updates for Exchange Server address vulnerabilities reported by security partners and found through Microsoft’s internal processes. We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Update installation

Two update paths are available:

Nov2021SUpath.jpg

Inventory your Exchange Servers / determine which updates are needed

Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU to get directions for your environment.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

Known issues with update

FAQs

We installed November 2021 SU on our Exchange 2016/2019 servers. Is there something that we can check to see if exploit was attempted on our servers before the fix for CVE-2021-42321 was put in place?
Run the following (updated) PowerShell query on your Exchange server to check for specific events in the Event Log:

Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MSExchange Common'; Level=2 } | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

If events are found, please work with your Security Response team to analyze the server further.

Did Microsoft release a CVE-2021-42321 mitigation via either Exchange Server Emergency Mitigation Service or the stand-alone EOMT tool?
We have not released mitigations for this vulnerability. Please update your servers to resolve the vulnerability.

Will Microsoft be releasing November 2021 SUs for older (unsupported) versions of Exchange CUs?
No. Please update to one of the supported CUs to be able to install November SUs.

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the November 2021 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

Updates to this blog post:

  • 1/12/22: Added a note mentioning that OWA hybrid redirect issue is now addressed in January 2022 security update
  • 12/15: Added a note that we are working on a permanent solution for URL redirect issue
  • 11/24: Added a link to a KB article talking about workarounds for OWA redirection doesn't work after installing November 2021 security updates for Exchange Server 201...
  • 11/15: Added a known issue with November security update on Windows domain controllers, and solution
  • 11/11: Added a known issue with OWA redirect for hybrid customers
  • 11/10: Added a FAQ about mitigations
  • 11/10: Changed the PowerShell query for event searches from an older Get-EventLog to a newer and more performant Get-WinEvent.
  • 11/10: Changed the known issue wording to indicate that WSUS issue related to installation of Exchange 2013 November SU has now been resolved. If you use WSUS, please download the updated WSUS cab file.
  • 11/9: When this post got originally published, we incorrectly mentioned that Microsoft Update (MU) installation could lead to an error when Exchange 2013 SU was installed. This has now been corrected to mention Windows Server Update Services (WSUS) instead (which is where the problem is.)

The Exchange Team

168 Comments
Co-Authors
Version history
Last update:
‎Jan 12 2022 06:44 AM
Updated by: