Upgrading Exchange servers should be nothing new to Admins however a lot of Admins prefer not to as they say “why fix something that is not broken?”.
With the increase attacks on Exchange 2016 and 2019, the latest Cumulative Updates (CU) CU15 for Exchange 2016 and CU3/4 for Exchange 2019.
Installing a new CU from where you are will require you to upgrade your .NET Framework version to 4.8 as well as this is the new requirement. If you do not install it and run the CU, the upgrade will fail telling you it needs .NET 4.8 to continue.
Once you have installed the cumulative updates and rebooted your system, you need to download the security updates for Exchange, the latest one released in March 2020. Here is a snippet of what is addressed:
Link to the below: ( https://wwwportal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0903)
CVE-2020-0903: Microsoft Exchange Server Spoofing Vulnerability
A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected server.
The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the Exchange server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.
The security update addresses the vulnerability by helping to ensure that Exchange Server properly sanitizes web requests.
Take note that this affects the following versions of Exchange 2016/2019 (KB4540123):
- Microsoft Exchange Server 2016 Cumulative Update 14
- Microsoft Exchange Server 2016 Cumulative Update 15
- Microsoft Exchange Server 2019 Cumulative Update 3
- Microsoft Exchange Server 2019 Cumulative Update 4
Once you have installed the security update for the version you are running, you need to reboot your system. Once done, you can then go to programs and features and view installed updates to verify that the above KB is listed.
With future releases of Cumulative Updates, they will most likely have the fixes in but keep a lookout for a CU and its security update.
There are new updates out for newer CU’s but I know many don’t just upgrade.
Hope it helps.