KB5015321 Security Update for Exchange Server 2013

KB5015321 is the latest security update for Microsoft Exchange Server 2013. It was released on 9th August 2022 as part of the ‘Patch Tuesday’ project of Microsoft. The security update is designed to resolve vulnerabilities reported in Microsoft’s security bulletin for Microsoft Exchange Servers. We look at the key aspects of KB5015321 and discuss the vulnerabilities that affect the Exchange Server 2013.

Salient Points about KB5015321 Security Update for Exchange Server 2013

  • KB5015321 security update addresses 5 vulnerabilities that have been reported as part of August 2022 security bulletin by Microsoft.
  • This is a security update. All the previous security updates should be already deployed on the Microsoft Exchange Server 2013.
  • KB5015321 replaces KB5014260 and KB5010324. Both these updates ought to be deployed on the Exchange Server 2013. KB5014260 was released in May 2022. KB5010324 was released in March 2022.
  • KB5015321 security update is intended for Microsoft Exchange Server 2013 Cumulative Update 23. For Exchange Server 2016 CU 22 and Exchange Server 2016 CU 23, you will need to patch the Exchange Server with KB5015322 security update. On a similar basis, for Exchange Server 2019 CU 11 and CU 12 versions need to be patched with KB5015322 security update.
  • The size of the MSU update file for KB5015321 security update is 82.3 MB.
  • KB5015321 is available through all the regular channels of updates for the Exchange Server 2013 CU 23.

KB5015321 – What versions of Exchange Server are affected?

KB5015321 is meant for Microsoft Exchange Server Cumulative Update 23. It covers the Exchange Server 2013 CU 23 only. KB5015322 is the security update for Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019.

KB5015321 – Vulnerabilities resolved on Microsoft Exchange Server 2013

KB5015321 resolves 5 security vulnerabilities on Microsoft Exchange Server 2013 Cumulative Update 23. We look at each of these vulnerabilities in brief below:

CVE-2022-30134 – Microsoft Exchange Information Disclosure Vulnerability

  • This vulnerability has a CVSS score of 7.6 with ‘Important’ severity level for the affected Exchange Servers.
  • It is unlikely to be exploited.
  • An attacker could use the flaw to read email messages. This leads to ‘Information Disclosure’ type of vulnerability on the Exchange box.
  • You could enable the ‘Exchange Extended Protection’ mode on the server to resolve this.
  • Or, you can patch the Exchange Server 2013 CU 23 with KB5015321 to resolve the threat.

CVE-2022-24516 Microsoft Exchange Server Elevation of Privilege Vulnerability

  • This vulnerability has a CVSS score of 8.
  • It has a ‘Critical’ impact for the affected Exchange Servers.
  • The vulnerability is more likely to be exploited.
  • The threat could lead to ‘Elevation of Privileges’ situation and the attacker could gain elevated rights on the Exchange box.
  • To mitigate, you can apply KB5015321 on the Microsoft Exchange Server 2013 Cumulative Update 23. Or, you could enable ‘Exchange Extended Protection’ mode to protect against this threat.

CVE-2022-24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability

  • CVSS rating of this vulnerability is 8.
  • The vulnerability poses ‘Critical’ impact risk.
  • It is more likely to be exploited by an attacker.
  • The attacker can take over the Exchange mail server and mailboxes.
  • The attacker requires low level access to the target Exchange server. He needs to be authenticated to the system.
  • The threat is resolved in KB5015321 for Exchange Server 2013 Cumulative Update 23. Or, you could enable the ‘Exchange Extended Protection’ mode to protect against the vulnerability.

CVE-2022-21980 – Microsoft Exchange Server Elevation of Privilege Vulnerability

  • This vulnerability has a CVSS score of 8.0.
  • It has a ‘Critical’ severity for the infrastructure comprising of affected Exchange Servers.
  • This is an ‘Elevation of Privilege’ vulnerability that could cause an attacker to assume elevated credentials on the compromised box.
  • The vulnerability is more likely to be exploited.
  • This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. 
  • To mitigate, you may enabled ‘Exchange Protection’ mode on the Exchange Servers. Or, you could deploy the latest security update KB5015321 for the affected version of Microsoft Exchange Server 2013 Cumulative Update 23.

CVE-2022-21979 – Microsoft Exchange Information Disclosure Vulnerability

  • This vulnerability has a CVSS score of 4.8 and has an ‘Important’ level of severity for the affected Exchange Servers.
  • It is less likely to be exploited.
  • The attacker could use the flaw to read targeted email messages.
  • This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. 
  • To mitigate, you can enable the ‘Exchange Extended Protection’ mode or apply KB5015321 on the affected Exchange Server version of Microsoft Exchange Server 2013 Cumulative Update 23.

How can I deploy KB5015321 on Exchange Server 2013?

KB5015321 can be deployed on Exchange Server 2013 CU 23 through all the regular channels. We list the various methods by which you can apply the KB5015321.

  • KB5015321 can be deployed on Microsoft Exchange Server CU 23 automatically through Windows Update.

Summary

KB5015321 is the Exchange Security Update for Exchange Server 2013 CU 23. It supersedes KB5014261 for Exchange Server 2013 CU 23. KB5015321 patches the Exchange Server 2013 CU 23 against 5 security threats that have been disclosed as part of the August security bulletin.

You may like to read more about the other August security and cumulative updates from Microsoft: