This article is contributed. See the original author and article here.

Microsoft has released security updates for vulnerabilities found in:

• Exchange Server 2013


• Exchange Server 2016


• Exchange Server 2019

These updates are available for the following specific builds of Exchange Server:

• Exchange Server 2013 CU23


• Exchange Server 2016 CU19 and CU20


• Exchange Server 2019 CU8 and CU9

The May 2021 security updates for Exchange Server address vulnerabilities responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Known issues in May 2021 security updates

During the release of April 2021 SUs, we received some reports of issues after installation. The following issues reported for April 2021 SUs also apply to May SUs and have the following workarounds:

• Administrator/Service accounts ending in ‘$’ cannot use the Exchange Management Shell or access ECP. The only workaround at this time is to rename Admin accounts or use accounts with no ‘$’ at the end of the name.


• Some cross-forest Free/Busy relationships based on Availability address space can stop working (depending on how authentication was configured) with the error: “The remote server returned an error: (400) Bad Request.” Please see this KB article for how to work around this problem.


• After application of the Exchange Server April or May security updates, cmdlets executed against the Exchange Management Console using an invoked runspace might fail with the following error message: The syntax is not supported by this runspace. This can occur if the runspace is in no-language mode. Please see this KB article for more information.

New security functionality in May 2021 security updates

We are making one additional change in May SU to make it easier for Exchange administrators and cybersecurity teams to quickly inventory the update state of the Exchange Servers on their networks. Specifically, we have added a protocol reply header containing Exchange Server version information to http responses that can be used by defenders to validate security update status of servers on your networks.

Update installation

Two update paths are available:

Inventory your Exchange Servers

Use the Exchange Server Health Checker script (use the latest release), to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU. Then click the “Tell me the steps” button, to get directions for your environment.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

FAQs

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the May 2021 security updates do need to be applied to your on-premises Exchange Server, even if it is used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do the May 2021 security updates contain the April 2021 security updates for Exchange Server?
Yes, our security updates are cumulative. Customers who installed the April 2021 security updates for supported CUs can install the May 2021 security updates and be protected against the vulnerabilities that were disclosed during those months.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

NOTE: This post might receive future updates; they will be listed here (if available).

The Exchange Team

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.