Notice
We have re-released the Exchange Server 2019 and 2016 August 8, 2023, security update (SU) to address the localization issue that caused installations on non-English operating systems (OS) to fail. You can find the re-released version of the SU here:
https://support.microsoft.com/help/5030524
The SU will also soon be available through Microsoft Update / Windows Update. For more information about the re-release, see this Exchange Team Blog article.
Original article content
This security update rollup resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE)
-
CVE-2023-21709 - Microsoft Exchange Server Elevation of Privilege Vulnerability
Note: Please follow the instructions in the Microsoft Security Response Center (MSRC) article to address the vulnerability.
-
CVE-2023-38185 - Microsoft Exchange Server Remote Code Execution Vulnerability
-
CVE-2023-35368 - Microsoft Exchange Server Remote Code Execution Vulnerability
-
CVE-2023-38182 - Microsoft Exchange Server Remote Code Execution Vulnerability
-
CVE-2023-35388 - Microsoft Exchange Server Remote Code Execution Vulnerability
-
CVE-2023-38181 - Microsoft Exchange Server Spoofing Vulnerability
Issues that are fixed in this update
Features introduced in this update
Known issues in this update
-
When you install this security update on a Windows-based server that is running a non-English operating system version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. For more information, see Exchange Server 2019 and 2016 August 2023 security update installation fails on non-English operating systems.
-
Users in an account forest who install this security update might not be able to change their expired password by using Outlook on the web in an Exchange deployment in a multi-forest topology (Account-Resource or Resource-Resource). For more information, see Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing August 2023 SU.
Enabling Extended Protection in Exchange Server
To enable Extended Protection on Exchange-based servers, see Extended Protection enabled in Exchange Server (KB5017260).
How to get and install the update
This update is superseded by version 2 of the security update for Microsoft Exchange Server 2019 and 2016. For more information, see the "Known issues in this update" section in this article.
More information
Security update deployment information
For deployment information about this update, see Deployments - Security Update Guide.
Security update replacement information
This security update replaces the following previously released updates:
File information
File hash information
|
Update Name |
File name |
SHA256 hash |
|
|---|---|---|---|
|
Exchange Server 2019 Cumulative Update 13 SU2 |
Exchange2019-KB5029388-x64-en.exe |
AB47764A566A5555474BFF3AB3FDE03DC47C5E31B35B6BA196E25D9FBBD7DA48 |
|
|
Exchange Server 2019 Cumulative Update 12 SU9 |
Exchange2019-KB5029388-x64-en.exe |
5539D00A4721AFF37AD804AA899B267D0F480039015745C15265D998D0338B18 |
|
|
Exchange Server 2016 Cumulative Update 23 SU9 |
Exchange2016-KB5029388-x64-en.exe |
622C0D5441E1484A5FD5BE7438689E1D7722542A4B93ECF1A108214A9346C678 |
Hashes for additional languages
The hash tables for additional languages are available here:
Information about protection and security
Protect yourself online: Windows Security support
Learn how we guard against cyber threats: Microsoft Security
