The Illinois Learning Technology Purchase Program (ILTPP) has received the following notice from Microsoft regarding security updates released on March 2, 2021. If you did not receive this notice in advance, please reach out to an Account Executive below.
- This affects any customer with On-Prem Exchange.
- To remediate, you must be on the Current or N -1 CU (e.g. Exchange 2016 CU18 or CU19) of a supported version of Exchange.
- Once you are at the supported CU only then you can apply the patch.
- There will be no back porting of this patch past what is documented. So if you are behind on the CUs, must upgrade.
- Must Patch all Exchange Servers, especially Internet facing roles.
- If you are in Hybrid Exchange, MUST patch Hybrid Servers.
- Microsoft support engineers have advised for customers to make this a top priority getting this done ASAP.
What is the purpose of this notification?
This is an advance notification of security updates that Microsoft plans to release for critical Exchange Server vulnerabilities on March 2, 2021.
Although we do not anticipate any changes, the information detailed in this alert, including the timeline, is subject to change until the security update release.
Security Update Overview
On March 2, 2021, at about 2:00 PM (Pacific Time), Microsoft released security updates for vulnerabilities affecting Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Updates are being released for Exchange Server 2010 for defense-in-depth purposes.
Microsoft sent advanced notifications a few hours before the release of security updates to give Exchange Server administrators time to plan for the rollout of these critical updates.
Answers to Anticipated Questions
Q: Do these vulnerabilities affect Exchange Online?
A: No. Customers using Exchange Online are not affected by these vulnerabilities.
Q: What is the maximum severity, impact, and Base CVSS score of these vulnerabilities?
A: The set of vulnerabilities include Remote Code Execution vulnerabilities that have a severity rating of critical. The highest base CVSS score in the set is 9.1.
Q: Where (and when) can I find specific details about these Exchange Server vulnerabilities?
A: When the security updates are released, the vulnerability details will be published in the Microsoft Security Update Guide (https://aka.ms/securityupdateguide). Microsoft will also publish companion blog posts that will provide additional guidance.
Q: Do I need to do any prep work with my Exchange servers to make them ready for these new security updates?
A: Microsoft provides support for the latest two Cumulative Updates (CUs) for Exchange Server 2016 and Exchange Server 2019. Microsoft provides support for the latest Update Rollup (UR) for Exchange Server 2010 and Exchange Server 2013. Exchange servers running a supported Update Rollup (UR) or Cumulative Update (CU) are considered up to date. Any Exchange servers that are not up to date will need to have a supported Update Rollup (UR) or Cumulative Update (CU) installed before you can install any new security updates. Exchange administrators should factor in additional time needed to update out-of-date Exchange servers.
Q: Is there a method I can use to determine which of my Exchange servers can install the security updates directly, and which will need to have a supported Update Rollup (UR) or Cumulative Update (CU) installed first?
A: Yes. You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates.
Q: Do I need to prioritize specific Exchange servers (are some Exchange servers at increased risk)?
A: Yes. Internet-facing Exchange servers (e.g., servers publishing Outlook on the web/OWA and ECP) are at increased risk and these should be updated first. Your servicing plan should include identifying and prioritizing Internet-facing Exchange servers.
Q: After the security updates are installed, does the Exchange server receiving updates need to be rebooted?
A: Yes. After the security updates are installed, the Exchange server needs to be restarted for security updates to take effect.
Please begin planning for deploying security updates to On-Premises Exchange servers in your environment. Allow extra time to update servers that are not running a supported Update Rollup (UR) or Cumulative Update (CU). Prioritize Exchange servers that are internet-facing.
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.
If you have any questions regarding this alert, please contact your Customer Success Account Manager (CSAM) and/or Account Executive (AE) below.
- Exchange Team Blog: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
- MSRC blog: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server
- MSTIC blog: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- On the Issues (MOTI) blog: https://blogs.microsoft.com/on-the-issues/?p=64505
- CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
- CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
- CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
- CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
- The Security Update Guide: http://aka.ms/securityupdateguide
Contact your dedicated Account Managers: