Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.
The updates fix the following vulnerabilities;
- CVE-2023-21745: Spoofing Vulnerability
- CVE-2023-21761: Information Disclosure Vulnerability
- CVE-2023-21762: Spoofing Vulnerability
- CVE-2023-21763: Elevation of Privilege Vulnerability
- CVE-2023-21764: Elevation of Privilege Vulnerability
None of the vulnerabilities are currently publicly disclosed or exploited. However, CVE-2023-21745 is rated as “Exploitation More Likely” so make sure you update as soon as possible!
From the above vulnerabilities, Exchange 2013 is only affected by CVE-2023-21762. Note however that Exchange 2013 will go out of support on April 11, 2023 so make sure you have your migration plan in order to remain supported.
This release introduces a new feature called; Certificate signing of PowerShell serialization payload in Exchange Server. In short, this helps defend Exchange servers against attacks on serialized data. This feature must be enabled manually but there is a script available for it as well.
The updates also contain the following non-security issues;
- Store Worker Process stops and returns “System.NullReferenceExceptions” multiple times per day (Exchange 2019 and Exchange 2016)
- Can’t record or play in Exchange Unified Messaging (Exchange 2016 and Exchange 2013)
- Exchange Application log is flooded with Event ID 6010 (Exchange 2016)
View: Exchange Blog: Released: Released: January 2023 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019: January 10, 2023 (KB5022193)
View: Description of the security update for Microsoft Exchange Server 2016: January 10, 2023 (KB5022143)
View: Description of the security update for Microsoft Exchange Server 2013: January 10, 2023 (KB5022188)