Security updates for Exchange Server (October 2021)

Update[German]Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 as of October 12, 2021. These October updates are required to address vulnerabilities reported by external security partners and found through Microsoft's internal processes. The updates apply to the Exchange Server on-premises installations listed below.

Microsoft  has published the Techcommunity post Released: October 2021 Exchange Server Security Updates with a description of the security updates. Updates are available for the following Exchange Server versions. 

These vulnerabilities affect on-premises Microsoft Exchange servers as well as servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action. Although Microsoft is not aware of any active exploits in the wild, it recommends installing these updates immediately to protect your Exchange installation. On this page, someone has compiled the six vulnerabilities addressed below, some of which are rated as high risk.

  • CVE-2021-41350: Microsoft Exchange Server Spoofing Vulnerability
  • CVE-2021-41348: Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2021-34453: Microsoft Exchange Server Denial of Service Vulnerability
  • CVE-2021-26427: Microsoft Exchange Server Remote Code Execution Vulnerability

The CVEs are also partially listed in this blog post of the Zero Day Initiative. Explanations of the respective vulnerabilities can be found on this page. If the security updates are installed manually, this process must be started from an administrative command prompt. Otherwise, problems will occur during the installation.

First feedbacks do not show any issues – only Microsoft's Techcommunity post indicates that an update could not be installed – but the details are missing.

Similar articles:
Security updates for Exchange Server (July 2021)
Cumulative Exchange CUs June 2021 released
Exchange Server Security Update KB5001779 (April 13, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server: Authentication bypass with ProxyToken
Exchange vulnerabilities: Will we see Hafnium II?
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server September 2021 CU (2021/09/28)

This entry was posted in Security, Software, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *