Microsoft has published security bulletin MS16-108 in September 2016, which includes critical security updates for all currently supported versions of Exchange Server.
Included in MS16-108 are updates to patch remote code execution vulnerabilities in Oracle Outside In libraries, which is third party code that Microsoft licensed for use in Exchange. These Oracle libraries have been the cause of many, many security vulnerabilities in different versions of Exchange Server over the years.
Updates are available for:
- Exchange Server 2007 Service Pack 3 (this update is being called Update Rollup 21)
- Exchange Server 2010 Service Pack 3 (this update is being called Update Rollup 15)
- Exchange Server 2013 Service Pack 1 (although this version is still supported and received security updates, it is more than two years old and I recommend you do not continue running this build in production)
- Exchange Server 2013 CU12
- Exchange Server 2013 CU13
- Exchange Server 2016 CU1
- Exchange Server 2016 CU2
If you are running any earlier builds of Exchange not listed above, then you should consider them at risk for this vulnerability.
The timing of these patch releases is such that the next cumulative updates for Exchange 2013 and 2016 could be released any day now. The security updates above will be included in the next cumulative updates. Regardless of the anticipated timing of the CU releases, you should begin your testing and planning to deploy the standalone security updates now, considering they are critical updates. As no details of Exchange 2013 CU14 or Exchange 2016 CU3 have been publicly announced, it’s possible they will contain other functional changes that you need more time to test without delaying these critical security updates.
Don’t have test environment Paul. however i did google and following exchange blog no one reported issue with new security update on exchange 2010 sp3 and 2013 cu12 . Only issue in exchange 2016 So I’m fine with that.
Since there is no reply, I will consider no one installed this security update in Exchange 2010 sp3.
You asked whether anyone faced any issue. Nobody replied. All you can conclude from that is that nobody replied. If you have concerns about a patch you should use a test environment to validate it before you deploy to production.
Has anyone faced any issue while installing this patch in Exchange 2010 sp3 UR 14 and Exchange 2013 CU 12?
As this update says as RU15 for Exchange 2010 SP3. Does environment need to be RU14 to install this update?
Looks to be issues with patch so be cautios – I experienced it on a few servers myself
Correct Bulletins didn’t specify that. Alright, I will install that patch in EDGE server also.
Hi Paul ,
Do we need to install this patch even for which has only EDGE Role server also ? and Second question do you recommend install this patch first in Test environment and then too Production environment ?
The bulletins don’t seem to specify. I would assume Edge also needs them, unless you can find information that says otherwise.
Yes, always test patches.
Hi Paul, If we were running Exchange 2013 CU10 would this require an update to CU12 or CU13 and then apply the patch. I was assuming from what you have above, an update is needed first.
Thank you for your time,
Correct. You should update anyway as you are running an unsupported build.
About issues after this updates:
Thanks for doing what you do