Recently, Microsoft identified additional vulnerabilities in their Exchange Server 2013/2016/2019 products. This article aims to provide organisations with the required mitigation steps.
What are the vulnerabilities?
The vulnerabilities included in the April 2021 Security update are:
These vulnerabilities can be exploited by attackers to run remote code executions against the affected servers. This can lead to a compromise of the security and integrity of your organisation and data.
How do we protect ourselves?
The mitigation steps are pretty clear from Microsoft:
- Update Exchange Server to a supported CU.
- Patch with the April 2021 Security Update.
The supported Exchange Server versions for the April 2021 Security Update are:
To download the April 2021 Security Update, select download the link for version of Exchange you are running. This can be done by selecting Exchange Server in the Product Family filter drop-down in Figure 1 below:
Important Note: Ensure you install the April 2021 Security Update as an Administrative user.
Should I patch with the March 2021 Security Update?
No, the Security Updates are cumulative. The April 2021 Security Update includes all previous Security Updates, including the March 2021 Security Update for the HAFNIUM vulnerability.
Are there exceptions to the April 2021 Security Update?
Yes, Exchange Server 2010. You won’t need to patch Exchange Server 2010 with the April 2021 Security Update, as it’s not supported for this version of Exchange Server. Organisations with Exchange Server 2010 should update to the latest Exchange Server 2010 SP3 UR32 to address the HAFNIUM vulnerability.
What should I do if my mailboxes are hosted in Exchange Online?
If you are a cloud-only organisation, you don’t need to do anything. If your organisation runs on-premises Exchange Hybrid servers, you must get patching them I’m afraid!