Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019. They resolve the following 2 vulnerabilities;
- CVE-2019-0586: Microsoft Exchange Memory Corruption Vulnerability
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.
- CVE-2019-0588: Microsoft Exchange Information Disclosure Vulnerability
An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended. To exploit this vulnerability, an attacker would need to be granted contributor access to an Exchange Calendar by an administrator via PowerShell. The attacker would then be able to view additional details about the calendar that would normally be hidden.
View: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: January 8, 2019
Download: Security Update For Exchange Server 2013 CU21 (KB4471389)
Download: Security Update For Exchange Server 2016 CU10 (KB4471389)
Download: Security Update For Exchange Server 2016 CU11 (KB4471389)
Download: Security Update For Exchange Server 2019 (KB4471389)