A unique generated mailbox database is created by default in Exchange Server after installing Exchange…
August 2023 Exchange Server Security Updates
Microsoft released several Security Updates (SUs) for Microsoft Exchange Server to address vulnerabilities. Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect the environment.
Note: These vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.
Exchange Server Security Updates
Microsoft has released Security Updates for vulnerabilities found in:
- Exchange Server 2016
- Exchange Server 2019
These Security Updates are available for the following specific versions of Exchange:
Read more on how to Install Exchange Security Update.
If you are not at these Exchange Server CU versions, please update right now and apply the above patch.
Read more on how to Install Exchange Cumulative Update.
Vulnerabilities addressed in the August 2023 Security Updates were responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.
Steps needed to address CVE-2023-21709
To address CVE-2023-21709, administrators must perform additional actions and can run the CVE-2023-21709.ps1 script that we have released. The script and its documentation can be found here. We have validated the script and CVE resolution on supported versions of Exchange Server only. We recommend updating to August SU first and then running the script.
Features introduced in this update
Known issues in this update
- When you install this security update on a Windows-based server that is running a non-English operating system version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. For more information, see Exchange Server 2019 and 2016 August 2023 security update installation fails on non-English operating systems.
Issues that are fixed in this update
The following issues have been resolved in this update:
- Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing August 2023 SU
- Exchange Server 2019 and 2016 August 2023 security update installation fails on non-English operating systems
- DST settings are inaccurate after an OS update
- Microsoft Exchange replication service repeatedly stops responding
- Chinese coded characters aren’t supported in Exchange Admin Center
- External email address field doesn’t display the correct username
FAQs
How does this SU relate to Extended Protection feature?
If you already enabled Extended Protection on your servers, install the SU as usual. If you did not enable Extended Protection yet, our recommendation is to enable it after installing January (or any later) SU. Running Health Checker script will always help you validate exactly what you might need to do after SU installation.
Is Windows Extended Protection a prerequisite that needs to be activated before or after applying the SU, or is that an optional but strongly recommended activity?
Extended Protection is not a prerequisite for this Security Update. You can install it without having to activate the Extended Protection feature. However, configuring Extended Protection is strongly recommended, which can help you protect your environments from authentication relay or “Man in the Middle” (MITM) attacks.
The last SU that we installed is (a few months old). Do we need to install all SUs in order, to install the latest one?
The Exchange Server Security Updates are cumulative. If you are running the CU that the SU can be installed on, you do not need to install all the SUs in sequential order but can install the latest SU only.
My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the August 2023 Security Update needs to be installed on your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.
Do I need to install the updates on “Exchange Management Tools only” workstations?
Install Security Updates on all Exchange Servers as well as servers or workstations running Exchange Management Tools only, which will ensure that there is no incompatibility between management tools clients and servers.
We still use Exchange Server 2013 on-premises to host mailboxes. Can we have an update for Exchange Server 2013 to support the new Microsoft 365 AES256-CBC encryption standard?
Exchange Server 2013 is out of support and will not receive any further security updates. We do not perform any vulnerability testing against this version of Exchange anymore. Exchange Server 2013 is likely vulnerable to any vulnerabilities disclosed after April 2023 and you should migrate to Exchange Server 2019 or Exchange Online as soon as possible and decommission Exchange Server 2013 from your environment.
Further information
What Others Are Reading
Hi Ali,
When install patch on servers in DAG , do we have to put servers in maintenance mode.
Yes.
You should put the Exchange Server in maintenance mode when installing:
– Windows Updates
– Cumulative Updates
– Security Updates
Hi Ali, the search funktionality works sometime by shared Mailboxes not, do you know how to find the Problem? i Have Exchange Server 2019 CU13 with the latest Updates installed.
German and french server reportedly have issues with this update and theres even a risk that the exchange server will not be running anymore (disabled exchange services).
Confirmed. It’s happening to all Windows Servers that are running a non-English operating system (OS) version.
To fix this issue:
Method 1. Run the PowerShell script to restart the Exchange Server services
Method 2. Read Microsoft’s article with the workaround