skip to Main Content

November 2022 Exchange Server Security Updates

Microsoft released several Security Updates (SUs) for Microsoft Exchange Server to address vulnerabilities. Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect the environment.

Note: These vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

Exchange Server Security Updates

Microsoft has released Security Updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These Security Updates are available for the following specific versions of Exchange:

Read more on how to Install Exchange Security Update.

If you are not at these Exchange Server CU versions, please update right now and apply the above patch.

Read more on how to Install Exchange Cumulative Update.

Because we are aware of active exploits of related vulnerabilities (limited targeted attacks), our recommendation is to install these updates immediately to be protected against these attacks.

Note: The November 2022 SUs contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082).

Issues resolved by this release

The following issues have been resolved in this update:

  • Delivery Report search from ECP might fail with IIS logs showing SEC_E_BAD_BINDINGS in a cross-site scenario after enabling Extended Protection
  • Export-UMPrompt could fail with InvalidResponseException

FAQs

We already applied mitigations for CVE-2022-41040 and CVE-2022-41082. Do we need to install this SU?
Mitigations are not actual code fixes of specific vulnerabilities. Please install the November 2022 (or later) SU on your Exchange servers to address CVE-2022-41040 and CVE-2022-41082.

Do we have to remove mitigation for CVE-2022-41040 after installing the November 2022 (or later) SU?
It is not necessary to remove mitigation already applied to your servers. Please note that if you are removing a mitigation, do it after Nov 2022 (or later) SU is installed and you have verified your server is fully up to date using the Health Checker script. To address different types of mitigations:

  • Applied by EEMS – if mitigation is manually removed, it will be re-applied again until we update the mitigation XML file in our service. We will update the list of mitigations released as soon as we start excluding the security fixed Exchange Server builds for this particular mitigation. We will update when this is done.
  • Applied manually – you could remove the mitigation manually by modifying IIS settings.
  • Applied using the EOMTv2 script – you could remove the mitigation using .\EOMTv2.ps1 -RollbackMitigation.

How does this SU relate to Extended Protection feature?
If you already enabled Extended Protection on your servers, install the SU as usual. If you did not enable Extended Protection yet, our recommendation is to enable it after installing November (or any later) SU. Running Health Checker script will always help you validate exactly what you might need to do after SU installation.

Is Windows Extended Protection a prerequisite that needs to be activated before or after applying the SU, or is that an optional but strongly recommended activity?
Extended Protection is not a prerequisite for this Security Update. You can install it without having to activate the Extended Protection feature. However, configuring Extended Protection is strongly recommended, which can help you protect your environments from authentication relay or “Man in the Middle” (MITM) attacks.

The last SU that we installed is (a few months old). Do we need to install all SUs in order, to install the latest one?
The Exchange Server Security Updates are cumulative. If you are running the CU that the SU can be installed on, you do not need to install all the SUs in sequential order but can install the latest SU only.

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the November 2022 Security Update needs to be installed on your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on “Exchange Management Tools only” workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

Further information

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 6 Comments

  1. Salam Ali, Thank you for your excellent documentation I want to ask if we installed a new Exchange 2019 Cu12 today, should I install all SU released after CU12 or only the latest SU?

    1. The Exchange Server Security Updates are cumulative. If you are running the CU that the SU can be installed on, you do not need to install all the SUs in sequential order but can install the latest SU only (as shown in the FAQ).

  2. I noticed in the build numbers site ( https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d ) under the file information section that shows the file hash. The file names are all the same, i noticed the “SHA256 hash” and “Update Name” are unique. Is this just a typo or is there any way to confirm the download has the proper hash for the version i would need. If you look at the File Name they are all “Exchange2019-KB5019758-x64-en.exe”. Thank you for all the information you provide.

    Thanks,
    Mike C.

    1. It’s correctly displayed on the Security Update description page.

      1. Download the Exchange Server Security Update
      2. Create an “install” folder on the (C:) drive
      3. Place the Security Update package in C:\install
      4. Run PowerShell as administrator and run below command:

      (Get-FileHash C:\install\Exchange2016-KB5019758-x64-en.exe).Hash

      The output will show the SHA256 hash, and you can compare it with the SHA256 hash on the Security Update description page.

Leave a Reply

Your email address will not be published. Required fields are marked *