Security updates have been released for Exchange 2010, Exchange 2013, Exchange 2016 and Exchange 2019. They resolve the following 2 vulnerabilities;
- CVE-2019-0817 and CVE-2019-0858: Microsoft Exchange Spoofing Vulnerability
A spoofing vulnerability exists in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests. An attacker who successfully exploited the vulnerability could perform script or content injection attacks, and attempt to trick the user into disclosing sensitive information. An attacker could also redirect the user to a malicious website that could spoof content or the vulnerability could be used as a pivot to chain an attack with other vulnerabilities in web services.
To exploit the vulnerability, an attacker could send a specially crafted email containing a malicious link to a user. An attacker could also use a chat client to social engineer a user into clicking the malicious link. However, in both examples the user must click the malicious link.
Note: Exchange 2010 is not affected by CVE-2019-0858.
View: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: April 9, 2019
Download: Security Update For Exchange Server 2019 CU1 (KB4487563)
Download: Security Update For Exchange Server 2019 (KB4487563)
Download: Security Update For Exchange Server 2016 CU12 (KB4487563)
Download: Security Update For Exchange Server 2016 CU11 (KB4487563)
Download: Security Update For Exchange Server 2013 CU22 (KB4487563)
Download: Update Rollup 27 For Exchange 2010 SP3 (KB4491413)