Microsoft has released security updates (SUs) for vulnerabilities found in:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
IMPORTANT: Starting with this release of Security Updates, we are releasing updates in a self-extracting auto-elevating .exe package (in addition to the existing Windows Installer Patch format). Please see this post for more information. Original update packages can be downloaded from Microsoft Update Catalog.
These SUs are available for the following specific builds of Exchange Server:
The SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
Manual run of /PrepareAllDomains is required
Because of additional security hardening work for CVE-2022-21978, the following actions should be taken in addition to application of May 2022 security updates (please see the FAQ below if in your organization you never ran /PrepareAllDomains but ran /PrepareDomain for some domains only):
|
Latest version of Exchange Server installed in the organization |
Additional steps needed |
|
Exchange Server 2016 CU22 or CU23, or Exchange Server 2019 CU11 or CU12 |
Install the May 2022 SU first and then run the following Command Prompt command once using Setup.exe in your Exchange Server installation path (e.g., …\Program Files\Microsoft\Exchange Server\v15\Bin):
“Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains”
Or
“Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains” |
|
Exchange Server 2013 CU23 |
Install the May 2022 SU first and then run the following Command Prompt command once using Setup.exe in your Exchange Server installation path (e.g., …\Program Files\Microsoft\Exchange Server\v15\Bin):
Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains |
|
Any older version of Exchange Server not listed above |
Update your Exchange server to the latest CU, install May 2022 SU and then follow the steps above. |
You need to run /PrepareAllDomains only once per organization and those changes will apply to all versions of Exchange Server within the organization. When you run /PrepareAllDomains, your account needs to be a member of the Enterprise Admins security group. This might be a different account from the one you use to install the SU.
Update installation
Two update paths are available:
Inventory your Exchange Servers / determine which updates are needed
Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).
Update to the latest Cumulative Update
Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU to get directions for your environment.
If you encounter errors during or after installation of Exchange Server updates
If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.
Known issues with this release
- If you get the following error when trying to install the .exe version of the Exchange 2016 SU for CU22: "Could not load file or assembly 'Microsoft.Exchange.SecurityPatch.ExeGenerator" followed by "Strong name validation failed." and error "0x8013141A" - then please re-download the Exchange 2016 CU22 update and try again. We have resolved the problem with that .exe package.
Issues resolved by this release
The following issues have been resolved in this update:
- Exchange Service Host service fails after installing March 2022 security update (KB5013118)
- New-DatabaseAvailabilityGroupNetwork and Set-DatabaseAvailabilityGroupNetwork fail with error 0xe0434352 (Update: the -Subnets parameter is still not fixed)
- The UM Voicemail greetings function stops working and returns error 0xe0434352.
- Unable to send mails through EAS and Get-EmailAddressPolicy fails with Microsoft.Exchange.Diagnostics.BlockedDeserializeTypeException after installing Security Update KB5008631 for Exchange 2019
FAQs
My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the May 2022 SUs do need to be installed on your on-premises Exchange servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after installing updates.
Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only the Management Tools role (no Exchange services) do not need these updates. If your organization uses only an Exchange Management Tools machine, then you should install the May 2022 SU package on it and run /PrepareAllDomains as per the above instructions to update Active Directory permissions.
Instructions seem to indicate that we should /PrepareAllDomains after May 2022 SU is installed; is that correct?
Yes. The May 2022 SU package updates files in Exchange server folders when it is installed. That is why once those files are updated (SU is installed) – we ask you to go and explicitly /PrepareAllDomains using setup from \v15\Bin folder. Please note that this needs to be done only once in the organization (in case of /PrepareAllDomains) or per domain (in case of /PrepareDomain).
In our organization we never ran /PrepareAllDomains. We only prepared several of our domains. Do we still need to run /PrepareAllDomains to address CVE-2022-21978?
Our documentation guides our customers to run /PrepareAllDomains as a part of the Exchange organization setup. If your organization has prepared only a subset of all your Active Directory domains, then you can choose to use the /PrepareDomain switch in those specific domains only. To check if /PrepareDomain was ran in a particular domain, check for the presence of the Microsoft Exchange System Objects container in that domain.
We never used the Microsoft Update catalog and need help getting the old version of update package. Help?!
You can search the Microsoft Update Catalog for your version of Exchange (for example “Exchange Server 2019”). Here are quick links with search strings for Exchange 2013, 2016 and 2019. Once the results come up, sort by the “Last updated” column to display the latest security update. Use the Download button to download the .cab file and then rick-click on the .cab and choose Open to reveal the .msp file. Extract the .msp file and proceed using it (but remember that .msp requires elevation when installing!)
Can we run /PrepareAllDomains before all of our Exchange servers are updated with May 2022 CU?
Yes. There is no dependency between running of /PrepareAllDomains and installation of updates on all servers. /PrepareAllDomains can be run when as least one machine is updated (from that machine) but could be postponed and be run when you are ready to address that particular CVE.
We ran /PrepareAllDomains but Health Checker script is telling us we are still vulnerable. Or: Health Checker script fails to check for CVE-2022-21978 update status.
Please update your Health Checker script; we resolved the problem that was causing this and the new version of the check is now published. Also, please note that if your organization uses split permissions and Exchange admins do not have rights to read Active Directory configuration, we updated the Health Checker on 5/16 to indicate when more permissions might be required for the check to complete.
Updates to this blog post:
- 5/27: Clarified that /Prepare switches need to be run only once (not on every updated server)
- 5/23: Added information about -Subnets parameter still not working for New-DatabaseAvailabilityGroupNetwork and Set-DatabaseAvailabilityGroupNetwork
- 5/16: Another update to Health Checker FAQ to account for split permissions
- 5/12: Updated the Health Checker FAQ; the updated version is now published
- 5/11: Added a FAQ about Health Checker script in some environments incorrectly reporting that CVE-2022-21978 is not addressed after /PrepareAllDomains was run
- 5/11: Added a FAQ on order of running /PrepareAllDomains vs. updating of all Exchange servers
- 5/11: Redirected the Exchange 2016 CU22 package back to the Download Center as the issue with that update's .exe package has been resolved
- 5/11: Redirected the Exchange 2016 CU22 SU download link to Microsoft Update Catalog download while we address an issue with .exe installer.
- 5/11: Additional clarification of /PrepareDomain vs. /PrepareAllDomains for customers who never ran /PrepareAllDomains in their organization
- 5/11: Added the workaround for a 'Strong name validation error' that a small number of customers reported
- 5/11: Added information on how to find the .msp version of updates in Microsoft Update Catalog
- 5/10: Added a FAQ mentioning the use of /PrepareDomain instead of /PrepareAllDomains for organizations that need to do so.