Skip to main content
Uncategorized

October 2022 Exchange Server Security Updates

By March 25, 2024No Comments

Microsoft released several Security Updates (SUs) for Microsoft Exchange Server to address vulnerabilities. Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect the environment.

Note: These vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

Exchange Server Security Updates

Microsoft has released Security Updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These Security Updates are available for the following specific versions of Exchange:

  • Exchange Server 2013 (CU23)
  • Exchange Server 2016 (CU22CU23)
  • Exchange Server 2019 (CU11CU12)
  • Vulnerabilities addressed in the October 2022 Security Updates were responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

    Note: The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this article to apply mitigations for those vulnerabilities. Microsoft will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready.

    Enable Windows Extended Protection

    Starting with the August 2022 SUs, Exchange Server supports the Windows Extended Protection (EP) feature, which can help you protect your environments from authentication relay or “man in the middle” (MitM) attacks. If you have not yet enabled EP in your environment, please install the October SUs which address a known issue in Exchange EP support.

    Note: If you have already installed the August 2022 SUs and have enabled EP, you do NOT need to re-run the EP script after installing the October SUs.

    Issues resolved by this release

    The following issues have been resolved in this update:

    • In Exchange 2013, Exchange 2016, and Exchange 2019, various Outlook and compliance-related monitoring probes show as Failed once EP is enabled.

    FAQs

    How does this SU relate to Extended Protection feature?
    If you already enabled Extended Protection on your servers, install the SU as usual. If you did not enable Extended Protection yet, our recommendation is to enable it after installing January (or any later) SU. Running Health Checker script will always help you validate exactly what you might need to do after SU installation.

    Is Windows Extended Protection a prerequisite that needs to be activated before or after applying the SU, or is that an optional but strongly recommended activity?
    Extended Protection is not a prerequisite for this Security Update. You can install it without having to activate the Extended Protection feature. However, configuring Extended Protection is strongly recommended, which can help you protect your environments from authentication relay or “Man in the Middle” (MITM) attacks.

    The last SU that we installed is (a few months old). Do we need to install all SUs in order, to install the latest one?
    The Exchange Server Security Updates are cumulative. If you are running the CU that the SU can be installed on, you do not need to install all the SUs in sequential order but can install the latest SU only.

    My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
    While Exchange Online customers are already protected, the October 2022 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

    Do I need to install the updates on “Exchange Management Tools only” workstations?
    Install Security Updates on all Exchange Servers as well as servers or workstations running Exchange Management Tools only, which will ensure that there is no incompatibility between management tools clients and servers.

    Further information

Leave a Reply