The estimated reading time 1 minutes
Even on holiday admins have to monitor patches from system inside their environment. Today Microsoft Exchange Team released a new Exchange security update SU August 2022 (KB5015322).
This one is not a CU but “only” SU, which needs some attention.
see the official link Exchange Team blog.
See some information about CVEs:
As you can see there are some CVEs which are marked as “critical”, so you should patch them as soon as possible.
Let’s have a deeper look on CVE-2022-24477 .
If you spent some time reading FAQs you soon realize that there is increased risk.
Official Link to SU KB5015322
- CVE-2022-21979 – Microsoft Exchange Information Disclosure Vulnerability
- CVE-2022-21980 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-24516 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-30134 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-34692 – Microsoft Exchange Information Disclosure Vulnerability
Don’t waste time and patch your systems. But some CVEs you need to activate Windows Exetended Protection feature for IIS.
There is another “little” website where you can see the prerequisites for this little feature.
https://aka.ms/ExchangeEPDoc
Additional Information EP
NOTE these are the known issues with EP
PublicFolders only works in special conditions
There are some compatibility issues with older Servers and older CUs
Hybrid Server with Modern Hybrid Configuration
SSL and TLS settings
If you are still sure to activate EP you can find the manual here
https://microsoft.github.io/CSS-Exchange/Security/ExchangeExtendedProtectionManagement/
Please read the prerequisites carefully.
As always after updating, use the official Exchange HealthChecker script.
Good luck and if you liked this articel, please click on helpful.
