KB5015322 Security Update for Microsoft Exchange

KB5015322 is the security update for Microsoft Exchange Servers. The security update has been released as part of the August series ‘Patch Tuesday’ project. The security update covers Exchange Servers against critical ‘Elevation of Privilege’ vulnerabilities. There are 6 vulnerability disclosures for ‘Exchange Servers’. Out of these, 3 vulnerability pose ‘Critical’ severity threat levels. We look at the key aspects of the KB5015322 security update for Exchange Servers below.

Salient points about KB5015322 for Exchange Servers

  • KB5015322 is a security update that patched 6 vulnerabilities on the Exchange Server systems.
  • Since this is a security update, all previous security updates for Exchange Servers should have already been deployed.
  • KB515322 supersedes the previous security update for Exchange 2019 and Exchange 2016. KB5014261 was the last security update for Exchange Server 2019 and Exchange Server 2016. It was released as part of May 2022 ‘Patch Tuesday’ project on 10th May 2022.
  • KB5015322 is intended for Exchange Servers 2019 and Exchange Server 2016. For specific releases that are affected, please read through the section on affected systems below.
  • The size of the MSU update files ranges between 150 MB to 154 MB.
  • KB5015322 can be deployed through all the regular Windows Update channels. Details of each of these methods is shared below in the deployment section.

KB5015322 – What versions of Exchange Server are affected?

KB5015322 is intended for the following release versions of Exchange Server 2019 and Exchange Server 2016:

  • Exchange Server 2016 Cumulative Update 22
  • Exchange Server 2016 Cumulative Update 23
  • Exchange Server 2019 Cumulative Update 11
  • Exchange Server 2019 Cumulative Update 12

The security update is available for each of these release versions as separate files.

KB5015322 – Vulnerabilities affecting Exchange Servers

Microsoft has released a security bulletin for Exchange Servers. It covers 6 different vulnerabilities that pose significant risks to the target Exchange Servers. We look at each of these vulnerabilities in brief below:

CVE-2022-24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability

  • CVSS rating of this vulnerability is 8.
  • The vulnerability poses ‘Critical’ impact risk.
  • It is more likely to be exploited by an attacker.
  • The attacker can take over the Exchange mail server and mailboxes.
  • The attacker requires low level access to the target Exchange server. He needs to be authenticated to the system.
  • The threat is resolved in KB5015322. Or, you could enable the ‘Exchange Extended Protection’ mode to protect against the vulnerability.

CVE-2022-24516 Microsoft Exchange Server Elevation of Privilege Vulnerability

  • This vulnerability has a CVSS score of 8.
  • It has a ‘Critical’ impact for the affected Exchange Servers.
  • The vulnerability is more likely to be exploited.
  • The threat could lead to ‘Elevation of Privileges’ situation and the attacker could gain elevated rights on the Exchange box.
  • To mitigate, you can apply KB5015322. Or, you could enable ‘Exchange Extended Protection’ mode to protect against this threat.

CVE-2022-21980 – Microsoft Exchange Server Elevation of Privilege Vulnerability

  • This vulnerability has a CVSS score of 8.0.
  • It has a ‘Critical’ severity for the infrastructure comprising of affected Exchange Servers.
  • This is an ‘Elevation of Privilege’ vulnerability that could cause an attacker to assume elevated credentals on the compromised box.
  • The vulnerability is more likely to be exploited.
  • This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. 
  • To mitigate, you may enabled ‘Exchange Protection’ mode on the Exchange Servers. Or, you could deploy the latest security update KB5015322 for the affected versions.

CVE-2022-34692 – Microsoft Exchange Information Disclosure Vulnerability

  • This vulnerability has a CVSS score of 5.3 and ‘Important’ severity level.
  • It is less likely to be exploited.
  • An attacker could exploit this vulnerability to read email messages, leading to ‘Information Disclosure’ type of vulnerability.
  • The threat is resolved in KB5015322 for Microsoft Exchange Servers.

CVE-2022-30134 – Microsoft Exchange Information Disclosure Vulnerability

  • This vulnerability has a CVSS score of 7.6 with ‘Important’ severity level for the affected Exchange Servers.
  • It is unlikely to be exploited.
  • An attacker could use the flaw to read email messages. This leads to ‘Information Disclosure’ type of vulnerability on the Exchange box.
  • You could enable the ‘Exchange Extended Protection’ mode on the server to resolve this.
  • Or, you can patch the Exchange Server with KB5015322 to resolve the threat.

CVE-2022-21979 – Microsoft Exchange Information Disclosure Vulnerability

  • This vulnerability has a CVSS score of 4.8 and has an ‘Important’ level of severity for the affected Exchange Servers.
  • It is less likely to be exploited.
  • The attacker could use the flaw to read targeted email messages.
  • This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. 
  • To mitigate, you can enable the ‘Exchange Extended Protection’ mode or apply KB5015322 on the affected Exchange Servers.

How can I deploy KB5015322 on Exchange Server?

KB5015322 can be deployed through all the regular channels of updates for Exchange Servers.

Windows Update

KB5015322 can be deployed automatically through the Windows Update program.

Microsoft Download Centre

You can also download the KB5015322 security updates through the Microsoft Download Centre.

Microsoft Update Catalog

KB5015322 can be downloaded manually from the Microsoft Update Catalog website. Each Exchange Server version has a different MSU update file on the catalog page for KB5015322. You can download the KB5015322 security update from Microsoft Update Catalog page here.

Summary

Exchange Server 2016 and Exchange Server 2019 are affected by 6 vulnerabilities. Three of these vulnerabilities could lead to ‘Elevation of Privilege’ vulnerability on the box and are rated as ‘Critical’ impact vulnerabilities. All these threats are resolved in KB5015322. KB5015322 supersedes KB5014261 security update for Exchange Server.

Other Microsoft Updates for August 2022: