Due to the vulnerability that allows privilege escalation I wrote about in this post, Microsoft has released a cumulative update for all supported versions of Exchange Server (Exchange 2010, 2013, 2016 and 2019).
- Exchange Server 2019 Cumulative Update 1 (KB4471391), VLSC Download
- Exchange Server 2016 Cumulative Update 12 (KB4471392), Download, UM Lang Packs
- Exchange Server 2013 Cumulative Update 22 (KB4345836), Download, UM Lang Packs
- Exchange Server 2010 Service Pack 3 Update Rollup 26 (KB4487052), Download, also available on Microsoft Update
As Microsoft has published in the “You Had Me At Ehlo”, its not a normal practice to include security updates in a cumulative update that the nature of the product forces to deliver them this way.
Several details and actions are included in the official post:
- The CU fixes contains a critical security update related to the EWS Push notifications
- After applying the CU, the Exchange server’s credentials stored in Active Directory must be reset
- The CU decreases the Active Directory rights granted to the Exchange servers. To apply the changes, the setup /PreapareAD parameter must be run.
- …
For complete details, I encourage you to visit the Microsoft official post:
Released: February 2019 Quarterly Exchange Updates
SomoIT post about the vulnerability:
Exchange – New vulnerability that allows privilege escalation
