March 2023 Exchange Server Security Updates

Microsoft released several Security Updates (SUs) for Microsoft Exchange Server to address vulnerabilities. Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect the environment.

Note: These vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

Exchange Server Security Updates

Microsoft has released Security Updates for vulnerabilities found in:

• Exchange Server 2013
• Exchange Server 2016
• Exchange Server 2019

These Security Updates are available for the following specific versions of Exchange:

• Exchange Server 2013 (CU23)
• Exchange Server 2016 (CU23)
• Exchange Server 2019 (CU11, CU12)

Read more on how to Install Exchange Security Update.

If you are not at these Exchange Server CU versions, please update right now and apply the above patch.

Read more on how to Install Exchange Cumulative Update.

Vulnerabilities addressed in the March 2023 Security Updates were responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

Awareness: Outlook client update for CVE-2023-23397 released

There is a security update for Microsoft Outlook that is required to address CVE-2023-2337. To address this CVE, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform). Please see the MSRC blog post about this vulnerability for more details.

But if your mailboxes are in Exchange Online or on Exchange Server, after installing the Outlook update, you can use a script we created to see if any of your users have been targeted using the Outlook vulnerability. The script will tell you if any users have been targeted by potentially malicious messages and allow you to modify or delete those messages if any are found.

The script will take some time to run, so we recommend prioritizing user mailboxes that are of higher value to attackers (e.g., executives, senior leadership, admins, etc.).

Known issues in this release

• There are no known issues with this release

Issues resolved

The following issues have been resolved in this update:

• EWS web application pool stops after the February 2023 Security Update is installed – if you have implemented the workaround in the KB article, you should remove the workaround once the March SU is installed (see the KB article for instructions). Running Health Checker will remind you of the need to remove the workaround.
• Exchange Toolbox and Queue Viewer fails after Certificate Signing of PowerShell Serialization Payload is enabled – this issue has been resolved for servers running the Mailbox role, but this still occurs on servers and workstations that have only the Management Tools role installed.
• This release unblocks customers who can’t enable Extended Protection (EP) because they are using a Retention Policy with Retention Tags that perform Move-to-Archive actions. Note: if you worked around this problem using the updated Exchange Server Extended Protection script, you should roll back the applied IP restrictions after installing this SU by following the script documentation.
• Get-App and GetAppManifests fail and return an exception.

FAQs

How does this SU relate to Extended Protection feature?
If you already enabled Extended Protection on your servers, install the SU as usual. If you did not enable Extended Protection yet, our recommendation is to enable it after installing January (or any later) SU. Running Health Checker script will always help you validate exactly what you might need to do after SU installation.

Is Windows Extended Protection a prerequisite that needs to be activated before or after applying the SU, or is that an optional but strongly recommended activity?
Extended Protection is not a prerequisite for this Security Update. You can install it without having to activate the Extended Protection feature. However, configuring Extended Protection is strongly recommended, which can help you protect your environments from authentication relay or “Man in the Middle” (MITM) attacks.

The last SU that we installed is (a few months old). Do we need to install all SUs in order, to install the latest one?
The Exchange Server Security Updates are cumulative. If you are running the CU that the SU can be installed on, you do not need to install all the SUs in sequential order but can install the latest SU only.

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the March 2022 Security Update needs to be installed on your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on “Exchange Management Tools only” workstations?
Install Security Updates on all Exchange Servers as well as servers or workstations running Exchange Management Tools only, which will ensure that there is no incompatibility between management tools clients and servers.

Further information

• Exchange Team Blog