Exchange Security Updates – January 2023

Once again, we have got some new and important Exchange Security Updates, released with the January 2023 Microsoft Updates, a few weeks back.

Even though the latest Exchange Security Updates are now a few weeks old – it is more important than ever, to make sure your Exchange environment is up-to-date.

Just see the latest post from the Exchange Team on this: Protect Your Exchange Servers

Microsoft is also interested in knowing how customers update their Exchange Servers and what challenges they see, everyone is invited to give feedback through a survey:

We are constantly looking for ways to improve the Exchange Server update process, and we’ve posted a survey about that topic which we invite you to take at https://forms.office.com/r/kfLyqAe3Q8.

The latest Exchange Security Updates address vulnerabilities found in the following Exchange Servers:

• Exchange 2013
• Exchange 2016
• Exchange 2019

For more about the vulnerabilities, see the CVEs:

• CVE-2023-21764 – Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2023-21763 – Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2023-21745 – Microsoft Exchange Server Spoofing Vulnerability
• CVE-2023-21762 – Microsoft Exchange Server Spoofing Vulnerability
• CVE-2023-21761 – Microsoft Exchange Server Information Disclosure Vulnerability

The Security Update is available for the specific Cumulative Update level (CU) your Exchange is running, if you are not up-to-date, with the latest CU, you might have to update the CU before applying the Security Update.

The update path is the following:

If you are uncertain, about what Exchange Server updates are needed and what current build, your Exchange Servers are running, you can use the Exchange Server Health Checker script to inventory your servers.

If you only have an Exchange Hybrid running, you will still need to update your Exchange environment. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Read the full process on this, on the Exchange Team blog:

• https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2023-exchange-server-security-updates/ba-p/3711808

Use the Exchange Update Wizard, if any doubt about the upgrade process:

• https://aka.ms/ExchangeUpdateWizard 

If you manually install the January 2023 Exchange Security Updates, they can be downloaded here:

• Exchange Server 2013 CU23 (note that support and updates end on April 11, 2023)
• Exchange Server 2016 CU23
• Exchange Server 2019 CU11 and CU12 

Download the Security Update that is specific to the CU, your Exchange Server is running.

Remember if you install them manually, the install (.msp file) needs to be run from an elevated command prompt.

More details from the original Exchange Team blog post:

• https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2023-exchange-server-security-updates/ba-p/3711808

It is recommended to update your Exchange Servers as soon as possible.

/Happy Patching! 🙂