by A critical security vulnerability with a CVSS 3.1 Score of 9.8 has been published in Microsoft Exchange Server that will cause remote code execution. This vulnerability allows code execution with the Exchange Server application pool and Exchange Server server farm accounts. This vulnerability applies to the versions listed below. Although no exploit has been detected regarding the published vulnerability, it is recommended to download and install the published patches via the relevant links in order not to damage the systems due to the criticality of the vulnerability.
Affected Systems
It has been stated that the following systems are affected.
- Microsoft Exchange Server 2019 Cumulative Update 9
- Microsoft Exchange Server 2016 Cumulative Update 23
- Microsoft Exchange Server 2013 Cumulative Update 8
- Microsoft Exchange Server 2016 Cumulative Update 19
- Microsoft Exchange Server 2019 Cumulative Update 20
Solution and CVE / CWE
It is recommended to install the updates listed in the table below.
CVE/CWE: CVE-2021-34473
| Product | Article | Security Patch |
|---|---|---|
| Microsoft Exchange Server 2019 Cumulative Update 9 | 5001779 | Security Update |
| Microsoft Exchange Server 2013 Cumulative Update 23 | 5001779 | Security Update |
| Microsoft Exchange Server 2019 Cumulative Update 8 | 5001779 | Security Update |
| Microsoft Exchange Server 2016 Cumulative Update 19 | 5001779 | Security Update |
| Microsoft Exchange Server 2016 Cumulative Update 20 | 5001779 | Security Update |
Note: Those with a CVSS 3.1 score (out of 10) 7.0-8.9 are considered “high”, those with 9.0-10.0 are considered “critical” vulnerabilities.
Reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-34473
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473
