Microsoft Exchange Server: November 2022 security update plugs zero-day vulnerability "ProxyNotShell"
from David Wurm 
on November 09, 2022, 11:23 p.m. | Write a comment
Just in time for Microsoft Patchday, always on the second Tuesday of the month, there are new updates for the Microsoft Exchange Server. This one has it all again - it's about six security gaps. All three versions 2013, 2016 and 2019 have an update which, among other things, fixes the critical zero-day vulnerability ("ProxyNotShell") from September is closing.
A total of six vulnerabilities are fixed, two of which are critical from September 2022 and one new critical one from November 2022. As already suggested, a very important update. The following CVEs are therefore included in the current update package:
- CVE-2022-41078
- CVE-2022-41079
- CVE-2022-41080
- CVE-2022-41123
- CVE-2022-41040 (Zero Day / September 22)
- CVE-2022-41082 (Zero Day / September 22)
As usual, new Windows updates are also available. This means that the Exchange updates should be installed together with the Windows server updates. Further technical details can be found in Exchange blog summarized.
Microsoft Exchange Server 2013/2016/2019: Security updates November 2022
As usual, Microsoft is again providing update support for the last two CU versions, except for 2013 profit, must first be upgraded to a supported CU version. Microsoft recommends installing the updates as soon as possible, especially because of the zero-day vulnerabilities. So that should happen soon - if it hasn't already.
- Exchange Server 2013 CU23 (end of support April 2023)
- Exchange Server 2016 CU22 and CU23
- Exchange Server 2019 CU11 and CU12
Then you can use the Health Checker Script from Microsoft to check whether all updates have been imported successfully.
