Hi Exchange Team, This Oct 2022 SU moreover looks like a bug fix/update of Aug 2022 SU and doesn’t contain any new disclosure of security vulnerabilities? customers who cannot use Windows EP due to limitation and already been applied Aug 2022 SU, can wait till the availability of Zero day vulnerability and install the upcoming SU without installing OCT 2022 SU? Thanks 

@maafraz We always recommend to install all security updates; you'll not see a recommendation from us to skip a security update.

@Nino_Bilic 

with all respect - in monthly notification to enterprises Exchange are not listed. on https://msrc.microsoft.com/update-guide/ when we search Exchange - we found only entries from August only. 
yes, I see that's referred on page above KB5019077 for Ex 2016/19 https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-... and KB5019076 for Ex 2013 https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-microsoft-exchange-... are new one. 
but it makes our life easier if it will be clearly communicated re-release fixes for already fixed vulnerability. 

@Ziemek Borowski WRK You are right; this was somewhat in-precisely worded in the blog post, and I have fixed it now. We have not re-released the CVEs; rather a part of the SU package is a re-release of fixes for August CVEs to address a known issue.

Thanks Nino, noted

@The_Exchange_Team When can be the release of the patch which will contain fixes for automatic archive functionality, event 4002 and the zero-day vulnerabilities reported publicly on September 29 expected?

I had to remove the EMS-Mitigation on all of my DAG-members, before patching:

Otherwise after setting the first DAG-member in Maintenance Mode a DB-switchover to active nodes was possible, but the client connections did not reconnect to active nodes. After removing the mitigation on all nodes, restarting the IIS-service, successfull client redirects appear.

Now I am patching my DAG members.

Is the issue below already resolved? we cannot change the current network DAG settings due to this bug (2016). Since may there has been no any updates regarding this.

• New-DatabaseAvailabilityGroupNetwork and Set-DatabaseAvailabilityGroupNetwork fail with error 0xe0434352 (Update: the -Subnets parameter is still not fixed)

Hi,

Is  Windows Extended Protection a pre-req that needs to be activated before applying this months SU or is that an optional but strongly recommended activity?

@Williamsson 

From the follwoing link:

https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/

Windows Extended Protection is supported on Exchange Server 2013, 2016 and 2019 starting with the August 2022 Exchange Server Security Update (SU) releases.

 I did not have this issue in our test environment. Our clients connections normally reconnect to active nodes.

Installed, enabled Extended Protection, everything working normally. 

When will 2022 H2 CU be coming out?

The new healthchecker says:

Security Vulnerability
----------------------
IIS module anomalies detected: False
Security Vulnerability: CVE-2022-41040
Please run the EOMTv2 script from: https://aka.ms/EOMTv2

But we already did run it last week and the mitigations are still there, so i guess the healthchecker is not ok?

@Brian Gallup We have nothing to announce as far as CU release date.

@Lennart-Live Recall that the mitigations have been updated several times during last week because of various bypasses that were made public. The absolutely best way is to let EEMS take care of this for you as those rules have been updated and applied to servers automatically. HealthChecker is updated to look for the "latest" version of mitigations.

@Brian GallupAccording the following video (MEC 2022) Microsoft hopes to release the next CU in November

https://youtu.be/HwLDtxj2WDc?t=850

@Williamsson Extended Protection is no prerequisite for this Security Update. You can install it without having to activate the Extended Protection feature first. However, we strongly recommend to configure Extended Protection which can help you protect your environments from authentication relay or "man in the middle" (MitM) attacks.

@Nino_Bilic @The_Exchange_Team 

1) Just to clarify your answer above to @Ziemek - Regarding the 6 CVEs that are mentioned in KB5019077 (CVE-2022-21979,CVE-2022-21980,CVE-2022-24477,CVE-2022-24516,CVE-2022-30134,CVE-2022-34692) :
If we have installed the August updates, we are protected from these CVEs, correct?

The new fixes are to address known issues with the previous mitigations, but not security holes, correct?

2) I see that while the first 5 CVEs indeed mention the new updates (5019077 and 501976) in the update catalog entry (e.g. here CVE-2022-21979 ),
CVE-2022-34692 still mentions only 5015322. Does 5019077 address CVE-2022-24692 or not?

Will appreciate your help here.

Thanks,

Stav

Exchange 2013 (on Windows Server 2012 R2) all updates installed without problems. Extended Protection and the URL rewrite rule had already been implemented before. No issues so far.

If a 2019 organization didn't apply the August SU yet (and subsequently turn on Extended Protection), do we need to apply August SU AND October SU, then turn on Extended Protection, or is just October SU and turn on Extended Protection enough?

@Ken Brussel You can directly apply the October SU and EEP

@Stav_K The only time you are protected from those vulnerabilities is if you install either August or October SUs (or any SUs that come later, in the future) AND you also enable Extended Protection (EP) which needs to be done manually. EP is not turned on in code and without it, you have required code in place but the CVEs are not addressed because there is no extra validation of machine to machine communications. When in doubt - Health Checker script will always tell you what you need to do.

On your second question - yes, Description of the security update for Microsoft Exchange Server 2019 and 2016: October 11, 2022 (KB... addresses CVE-2022-34692 - Security Update Guide - Microsoft - Microsoft Exchange Information Disclosure Vulne... but you are right that while the KB points to the CVE, the CVE does not point to the KB. I'll give feedback to the relevant team to make this change.

EDIT: one more thing... we recommend all customers install October updates even if they installed August updates. We do not recommend that customers skip October. You are right, however, that there are no new CVEs in October. But note that it is usually not a good practice to assume that "update should be installed only if there are new CVEs present." There can definitely be situations where we include security improvements that were never publicly disclosed and therefore will not have a CVE. Therefore our recommendation: install security updates.

Thank you for the details.

Usually we always patch our environments on a "ASAP" basis but this time we will wait for next November CU24.

Indeed we have just patched our large production environment with KB5015322 this week and we cannot activate EEP on our environment as I saw EEP is not recommended (impossible?) if Exchange servers are hosting Public Folder Hierarchy mailboxes.

(Fortunately our environment is [well] protected by a third party solution I will not detail publicly)

@Florent_Duret it's possible to enable Extended Protection on Exchange servers which are hosting Public Folder hierarchy mailboxes.

You can find the details and things to consider here: https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/#extended-protection-cannot-be...

Any chance that the Exchange Team will address the frequently crashes of the ApplicationPools?
EventID 5011, WAS. This still happens on a Exchange2019 CU12 with the latest October Patch on a Windows Server 2019

This happens on all Exchange Application Pools. Clients will be disconnected if it happens on MXExchangeMapiFrontEndPool

@olaf_koehler I have the very same problem and discovered these are not crashes.
Indeed on our production environment this is related to Managed Availability (MA) that initiate the "Application Pool" recycling/"Watson Dumps" or even Exchange services "restart".

In event viewer, have a look in "Applications and Services logs >Microsoft > Exchange > Managed Availability > RecoveryActionLogs" and filter for events 2050 and 2051.

Events 2050 show MA triggered Exchange service "restart" or Application Pool "recycling" (even WatsonDumps...).
Events 2051 show the same, except the MA throttling prevented the system to do so.

Florent

I have following sequence before the error

Event 2050 - RecycleCafeApplicationPool-MSExchangeMapiFrontEndAppPool-OutlookMapiHttpProxyTestRecycleAppPool: Throttling allowed the operation to execute

Event 1020 - Starting recovery action (Action=RecycleCafeApplicationPool, Resource=MSExchangeMapiFrontEndAppPool, Requester=OutlookMapiHttpProxyTestRecycleAppPool, ThrottlingMode=None)

Event 2051 - WatsonDump-MSExchangeMapiFrontEndAppPool-OutlookMapiHttpProxyTestRecycleAppPool: Throttling rejected the operation

Event 1500 - Attempting to kill process. (Id=21572, Name=w3wp, IsChild=False, Context=221014.011429.45723.034)

Event 1502 - Successfuly killed the process. (Id=21572, Name=w3wp, IsChild=False, Context=221014.011429.45723.034)

Event 1022 - Recovery action succeeded. (Action=RecycleCafeApplicationPool, Resource=MSExchangeMapiFrontEndAppPool, Requester=OutlookMapiHttpProxyTestRecycleAppPool)

In the System log there is then

Event 5011 - "WAS - Fatal Communications Error..." that corresponds with 1502 (kill)

I’ve been an Exchange admin for almost 20 years. This is the first time I had to pay for support as WSUS failed to install the October SU which really damaged my box. Support needed dll files to make the SU install which allowed services to start after a 19 hour outage but 3-1/2 days later, no OWA/ECP. MS support continues to review. Somehow my box is special as I’m not seeing other such nightmare scenarios. 

Is it fixed event ID 4002 and 24001 issues?

Following up to the post by @Ziemek Borowski WRK I am still confused about whether the October security update addresses any new vulnerabilities or is only re-releasing fixes for August CVEs to address known issues.  Filtering the Security Update Guide on Exchange Server shows no new CVEs since Aug 9, 2022 except for the two Sep 30, 2022 CVEs that are explicitly mentioned in the blog post as NOT fixed in the October 2022 SUs.

I'm not yet Apply for the May and August SU. Do I still need to run /PrepareAllDomains at this SU? 

@GeorgeMilano This SU destroyed one of our Exchange 2019 Edge servers, it was rendered completely unusable, none of the services would start and it broke WINRM at a low level and being console mode, was impossible to fix.  1'st time I've experienced an unexpected issue with an SU as well.  Luckily, Edge servers are disposable but still, was a shock and took several hours to repair.   I've applied this SU to a dozen other Exchange servers and Edge servers without any other issues.

I was also hoping this SU would resolve the two current 0-day vulnerabilities.  We've applied the SU and mitigations and the ones in EOMTv2.   Sadly, Defender ATP still reports Exchange as High risk with 0-day vulnerabilities.   Hoping soon, Exchange will address the 0-day issues properly

@Hilwork When in doubt, run Health Checker and it'll tell you if you need to perform a manual action.

@Nino_Bilic we have 2x mailbox(exchange 2016) Hybrid mode with Exchange 2016 EdgeServer. 

Do I need to re-run Exchange Hybrid wizard after applying CU23 on Exchange Mailbox sever & Edge server?

Do I need to backup any specific files from edge server & exchange server before the upgrade to CU23? 

Upgrading to C23 will delete any connectors from mailbox sever & edge server? 

I can see a exchange inbound\outbound connectors & connector to o365 in my exchange edge server will it be removed if I upgrade to CU23?

Do I need to re-subscribe edge server after CU23 upgrade on all servers(exchange mbx,edge)?

Please advise.

@ATFRMZ In the order:

No.

Maybe, but see this document for more information.

No.

No

No.

@Nino_Bilic , can you respond to my Oct 20 post and clarify what these October security updates address, since the Security Update Guide shows no new CVEs for Exchange since Aug 9, 2022 except for the two Sep 30, 2022 CVEs that are explicitly mentioned in the blog post as NOT fixed in the October 2022 SUs?

@David_Patterson Relevant update KB articles list and link to what is addressed in October SUs. Re-release of CVEs was not the only thing in October SUs.

Note though: you are making an assumption that every fix in the update will have a CVE associated with it; that is not the case (and never was). CVEs are for publicly known / disclosed vulnerabilities. We might at any time release security updates with fixes that were never publicly disclosed (for example, they were not reported to us but we found them internally and just addressed them).

Our recommendation about security updates is: install them when we release them. If there are things like urgent fixes, then we will obviously communicate it as such (or release out of band) and in those cases, there will more than likely be CVEs and possibly other thing to reference. But realize that even smaller things that might not appear as big or publicly discussed issues today, can possibly be used as a part of the attack chain few months from now.

I recommend a simple approach: see a security update? Install it. See an urgent one? Install it urgently.

@Nino_Bilic  thank you for guidance.

@The_Exchange_Team Will there or won't be there CU24 for Exchange 2016 next patch tuesday 08-11-2022? In the forecast of 03-11-2022 i only see:

Microsoft Exchange server Maximum severity as cirtical  with a maximum impact of elevation of privilege.

Hi Team, 

I need your help. 

We have updated new "Security Update For Exchange Server 2013 CU23 (KB5019076)" on our Exchange 2013 CU23 (DAG Environment).

In one server "The Microsoft Exchange Replication service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service" services is not coming up. 

Please can any one suggest / help.

Regards,

Mahesh

@The_Exchange_Team , @Nino_Bilic 

After passing this update, our MIM (Version 4.6.540.0) server became unable to powershell connection to Exchange 2019 and unable to send emails. Do you have an idea?

Hello,

Since i install October 2022 Exchange Server Security Updates on my exchange 2016 CU22, external relay didnt work anymore.
I'm on hybrid minimal configuration
Can you help me ?