A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.
Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.
The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.
Updates have been released for the following versions of Exchange, and you can download them all here:
- Exchange Server 2010 SP3 with Update Rollup 21
- Exchange Server 2013 SP1 (CU4), aka the version that is technically supported these days but please don’t deploy it or stay at this version
- Exchange Server 2013 CU19
- Exchange Server 2013 CU20
- Exchange Server 2016 CU8
- Exchange Server 2016 CU9
To address a few misconceptions that are coming up in that Reddit thread, and that you might also be wondering about, yes this vulnerability exists in other versions of Exchange not listed above. Those versions are the currently supported versions of Exchange. Any other Exchange Server version, service pack, update rollup, or cumulative update level is not supported and therefore Microsoft doesn’t issue a vulnerability statement or a patch for those versions.
The vulnerability is listed as “not disclosed/not exploited”, and requires a specially crafted email to be sent to the Exchange server. The exact details of what that specially crafted message might look like are not disclosed of course. It’s possible that your email security protection will detect and prevent such an email message from reaching your Exchange server. However, I don’t recommend that you rely on that mitigation, and instead I recommend you plan to test and deploy the patch to your servers.