Microsoft has published security bulletin MS16-108 in September 2016, which includes critical security updates for all currently supported versions of Exchange Server.
Included in MS16-108 are updates to patch remote code execution vulnerabilities in Oracle Outside In libraries, which is third party code that Microsoft licensed for use in Exchange. These Oracle libraries have been the cause of many, many security vulnerabilities in different versions of Exchange Server over the years.
Updates are available for:
- Exchange Server 2007 Service Pack 3 (this update is being called Update Rollup 21)
- Exchange Server 2010 Service Pack 3 (this update is being called Update Rollup 15)
- Exchange Server 2013 Service Pack 1 (although this version is still supported and received security updates, it is more than two years old and I recommend you do not continue running this build in production)
- Exchange Server 2013 CU12
- Exchange Server 2013 CU13
- Exchange Server 2016 CU1
- Exchange Server 2016 CU2
If you are running any earlier builds of Exchange not listed above, then you should consider them at risk for this vulnerability.
The timing of these patch releases is such that the next cumulative updates for Exchange 2013 and 2016 could be released any day now. The security updates above will be included in the next cumulative updates. Regardless of the anticipated timing of the CU releases, you should begin your testing and planning to deploy the standalone security updates now, considering they are critical updates. As no details of Exchange 2013 CU14 or Exchange 2016 CU3 have been publicly announced, it's possible they will contain other functional changes that you need more time to test without delaying these critical security updates.