Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.
The updates fix the following vulnerabilities;
- CVE-2022-21979: Microsoft Exchange Information Disclosure Vulnerability
- CVE-2022-21980: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-24477: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-24516: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-30134: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-34692: Microsoft Exchange Information Disclosure Vulnerability
None of the vulnerabilities are currently publicly disclosed nor being exploited. However, for 3 of the vulnerabilities the exploitability assessment is regarded as “More Likely”, so it is important to update as soon as possible.
You might have recognized that these are the same vulnerabilities as from the Security Updates for August. That re-release is due to address a known issue.
Note however that this Security Update does not address the zero-day vulnerabilities of September 29 (CVE-2022-41040 and CVE-2022-41082). You’d still need to have the mitigations for those applied as instructed in a previous blog post by the Exchange Team.
In addition to installing the update, you must also enable Windows Extended Protection to protect yourself from the vulnerabilities. This is unfortunately not a simple thing to enable as it is not compatible with all configurations. Therefor, make sure you carefully read the Extended Protection documentation and use the provided script to enable it.
The updates also contain the following non-security issues;
- KB5019807: Can’t finish the E-discovery process for an on-premises mailbox
- KB5019808: E-Discovery search fails in Exchange Online
View: Exchange Blog: Released: October 2022 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019 and 2016: October 11, 2022 (KB5019077)
View: Description of the security update for Microsoft Exchange Server 2013: October 11, 2022 (KB5019076)