Microsoft have released a security update for Microsoft Exchange Server (KB5007409). The November 2021 Exchange Server Security Updates are to address the latest vulnerabilties found in the different versions. Microsoft have classed the vulnerabilities found as medium threat, however as with all security related patches, we advise applying the patches as soon as possible.
Exchange Server Security Updates
Microsoft has released Security Updates for vulnerabilities found in:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
These Security Updates are available for the following specific versions of Exchange:
IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB article).
You can learn more about Exchange 2019 CU11 here
If you are not running these versions, then we strongly advise upgrading to them as soon as possible in order to apply the patch.
The November 2021 security updates for Exchange Server address vulnerabilities reported by security partners and found through Microsoft’s internal processes. We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment.
These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.
More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).
How to get and install the update
Method 1: Microsoft Update
This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ.
Method 2: Microsoft Update Catalog
To get the standalone package for this update, go to the Microsoft Update Catalog website.
Method 3: Microsoft Download Center
You can get the standalone update package through the Microsoft Download Center.
Download Exchange Server 2019 Cumulative Update 10 Security Update 3 (KB5007409)- Download Exchange Server 2019 Cumulative Update 11 Security Update 2 (KB5007409)
- Download Exchange Server 2016 Cumulative Update 22 Security Update 2 (KB5007409)
- Download Exchange Server 2016 Cumulative Update 21 Security Update 3 (KB5007409)
- Download Exchange Server 2013 Cumulative Update 23 Security Update 12 (KB5007409)
FAQs
We installed November 2021 SU on our Exchange 2016/2019 servers. Is there something that we can check to see if exploit was attempted on our servers before the fix for CVE-2021-42321 was put in place?
Run the following (updated) PowerShell query on your Exchange server to check for specific events in the Event Log:
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MSExchange Common'; Level=2 } | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }If events are found, please work with your Security Response team to analyze the server further.
Did Microsoft release a CVE-2021-42321 mitigation via either Exchange Server Emergency Mitigation Service or the stand-alone EOMT tool?
We have not released mitigations for this vulnerability. Please update your servers to resolve the vulnerability.
Will Microsoft be releasing November 2021 SUs for older (unsupported) versions of Exchange CUs?
No. Please update to one of the supported CUs to be able to install November SUs.
My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the November 2021 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.
Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.
