November 2022 Security Updates for Exchange
This week Microsoft released new security updates for the following Exchange versions:
- Exchange...
Jaap Wesselius
On October 11, 2022, Microsoft unexpectedly released new Security Updates (SUs) for Exchange 2013 CU23, Exchange 2016 (CU22 and CU23) and Exchange 2019 (CU11 and CU12).
Exchange CVE-2022-34692, the vulnerabilities addressed in these CUs are the same as addressed by the August 2022 SUs. One thing is that the rating has changed.
| Vulnerability | Category | Severity |
| CVE-2022-21979 | Information disclosure | Important |
| CVE-2022-21980 | Elevation of privileges | Critical |
| CVE-2022-24477 | Elevation of privileges | Critical |
| CVE-2022-24516 | Elevation of privileges | Critical |
| CVE-2022-30134 | Elevation of privileges | Important |
You can download the SUs from the following locations:
| Version | Download | Severity |
| Exchange 2013 CU23 | n/a | KB5019076 |
| Exchange 2016 CU22 | n/a | KB5019077 |
| Exchange 2016 CU23 | n/a | KB5019077 |
| Exchange 2019 CU11 | n/a | KB5019077 |
| Exchange 2019 CU12 | n/a | KB5019077 |
Please note that these SUs do not address the 0-day exploits of early October. To work around this 0-day, follow the steps as outlined in Michel’s article on this site: October Exchange Zero Day - Everything You Need to Know and Do.
In the August 2022 SUs, Microsoft introduced a feature in Exchange called Windows Extended Protection. Extended protection can help you protect against man in the middle attacks. If you have not enabled extended protection, please do and check the August SU announcement for more details. You can also check my own blog on the August security updates that contain more information regarding the implementation of extended protection.
As always:
- Security Updates are Cumulative Update specific. You cannot install a security update for CU12 on a CU11 server, be aware of this.
- Security Updates contain all earlier updates for this specific Cumulative Update.
- Hybrid Servers need to be updates as well, but if you have decommissioned your last Exchange server and running the Exchange 2019 CU12 management tools for Exchange, then there’s no need to install this update.
- Before installing into your production environment, please test thoroughly in your test environment.
Want to learn more about Exchange Monitoring & Reporting?
How do you ensure vital business communication, such as email, stays up and running? How do you demonstrate to senior management that additional resources are needed to meet growing demand or that service levels are being met? ENow makes your job easier by putting everything you need into a single, concise OneLook dashboard, instead of forcing you to use fragmented and complicated tools for monitoring and reporting.
Easy to deploy and intuitive to use, ACCESS YOUR FREE 14-DAY TRIAL and combine all key elements for your Exchange monitoring and reporting to keep your messaging infrastructure up and running like a pro!
PRODUCT HIGHLIGHTS
- Consolidated dashboard view of messaging environments health
- Automatically verify external Mail flow, OWA, ActiveSync, Outlook Anywhere
- Mail flow queue monitoring
- DAG configuration and failover monitoring
- Microsoft Security Patch verification
- 200+ built-in, customizable reports, including: Mailbox size, Mail Traffic, Quota, Storage, Distribution Lists, Public Folders, Database size, OWA, Outlook version, permissions, SLA and mobile device reports
