Microsoft has released Security Updates (SUs) for vulnerabilities found in:

• Exchange Server 2013
• Exchange Server 2016
• Exchange Server 2019

SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.

SUs are available for the following specific versions of Exchange Server:

• Exchange Server 2013 CU23 (note that support and availability of SUs end on April 11, 2023)
• Exchange Server 2016 CU23
• Exchange Server 2019 CU11 and CU12 

The March 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating Exchange servers in their environment, and if applicable, installing the security update for Outlook on Windows described below.

More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).

Awareness: Outlook client update for CVE-2023-23397 released

There is a critical security update for Microsoft Outlook for Windows that is required to address CVE-2023-23397. To address this CVE, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform). 

But if your mailboxes are in Exchange Online or on Exchange Server, after installing the Outlook update, you can use a script we created to see if any of your users have been targeted using the Outlook vulnerability. The script will tell you if any users have been targeted by potentially malicious messages and allow you to modify or delete those messages if any are found.

The script will take some time to run, so we recommend prioritizing user mailboxes that are of higher value to attackers (e.g., executives, senior leadership, admins, etc.).

Update installation

The following update paths are available:

• Install the latest CU. Use the Exchange Update Wizard to choose your current CU and your target CU to get directions.
• Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker. Running this will tell you if any of your Exchange Servers are behind on updates (CUs, SUs) and if manual actions are needed.
• Always re-run Health Checker after you install an SU to see if any further actions are needed.
• If you encounter errors during or after installation of Exchange Server, run the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

Known issues with this release

• There are no known issues with this release

Issues resolved in this release

• EWS web application pool stops after the February 2023 Security Update is installed – if you have implemented the workaround in the KB article, you should remove the workaround once the March SU is installed (see the KB article for instructions). Running Health Checker will remind you of the need to remove the workaround.
• Exchange Toolbox and Queue Viewer fails after Certificate Signing of PowerShell Serialization Payload is enabled – this issue has been resolved for servers running the Mailbox role, but this still occurs on servers and workstations that have only the Management Tools role installed.
• This release unblocks customers who can’t enable Extended Protection (EP) because they are using a Retention Policy with Retention Tags that perform Move-to-Archive actions. Note: if you worked around this problem using the updated Exchange Server Extended Protection script, you should roll back the applied IP restrictions after installing this SU by following the script documentation.

FAQs

Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing the March 2023 SU, you should re-run the Hybrid Configuration Wizard.

The last SU we installed is a few months old. Do we need to install all SUs in order, to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this blog post for more information.

Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers.

This post might receive future updates; they will be listed here (if available).

–The Exchange Server Team