Microsoft has released the new security updates for Exchange Server 2016 in June 2023. This update, with the Knowledge Base number – KB5025903, will resolve the security vulnerabilities in the Exchange Server. The vulnerabilities resolved by this update are:
- CVE-2023-28310: After installing the updates, hackers who are on the same intranet as the server, will not be able to achieve remote code execution via PowerShell remote session.
- CVE-2023-32031: This will prevent the attackers from targeting the server accounts in an arbitrary or remote code execution attack, which could trigger malicious code through a network call.
Apart from the above mitigations, the below fixes are also included in the update.
Extended Protection doesn’t support Public Folder Client Permission Management through Outlook
One would not be able to change the permissions on a public folder using Outlook, if the public folder is hosted on a secondary mailbox on a different server, after configuring Extended Protection. This issue is fixed in this latest update.
Microsoft Exchange Replication Service stops responding on Host Server
This update will resolve the issue where the Microsoft Exchange Replication service stops responding on the host server due to deserialization blockage.
Store Worker process crashes and returns “System.NullReferenceExceptions” multiple times per day
This issue occurs when the Store Worker crashes (in a Database Availability Group), causing the database to fail and mailboxes getting quarantined daily. This security update (KB5025903) will fix this issue.
Exchange won’t uninstall after the January Security Update (KB5022143) is applied
When you try to uninstall Exchange Server after the January 2023 security update, it fails to start and cause an error. This latest (June 2023) update will fix this issue.
How to Install the Security Update (CU23 SU8)?
Before installing the update, you must do the following:
- Establish a maintenance window with the business to ensure that it will not impact the business. Also, inform all the users that the email system will not be available during this time.
- Perform a full backup of the Exchange Servers, along with the Active Directory server (as a precaution).
- Ensure that backup jobs are paused (if any), antivirus software is disabled, and any other jobs or scans are paused.
- Run a health check of the server before running the update to ensure the server is running well and to prevent any issues post installation. For this, you can download and run the HealthChecker.ps1 script. The script will collect all the information on the server and report the issues if there are any.
Installing the Update
The installation of the update is easy. In case of a standalone server, all you need to do is execute it and follow the interface. In a Database Availability Group (DAG), you first need to check which server is the passive server that holds the database copies. If after a week there are no issues, it is recommended to first failover to the updated server. After confirming all is working fine, you can proceed with the installation on the main server. Once this is done, you can safely failback the services. This will not impact the business as the service will not stop. If the update is not compatible, it will not impact the production server.
After the update is completed successfully, it is highly recommended to re-run the health check PowerShell script to ensure everything is fine.
To Conclude
You must be very careful when installing Exchange Server updates. Make sure that the safety precautions are taken as abrupt interruption when installing updates can cause issues with the services and the integrity of the data. In case of issues during and after update installation, you may end up with a non-functional Exchange Server. If the installation is stopped abruptly due to a hardware failure, software crash, or other issues, there is a higher chance of damage to the databases or transaction logs. In addition, you may end up with a non-functioning Exchange Server service and the databases would not mount due to Dirty Shutdown. In such situations, you can re-install the Exchange Server with no issues as the configuration will be retrieved from the Active Directory Schema, but the data changes will be lost.
With applications such as Stellar Repair for Exchange, you can repair and recover the damaged databases. You can export the data from the repaired database to PST and other file formats, as well as directly export to a live Exchange Server database or Office 365 (Microsoft 365).
Was this article helpful?
