CVE-2022-21979

FAQ

Are there any more actions I need to take to be protected from this vulnerability?

Yes. Customers running an affected version of Microsoft Exchange need to enable Extended Protection to be protected from this vulnerability. For more information, see Exchange Server Support for Windows Extended Protection.

Is there more information available about this release of Exchange Server?

For more information on this issue, please see The Exchange Blog.

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited the vulnerability could read targeted email messages.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.

According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?

Yes, the attacker must be authenticated.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to have internal knowledge of the target Exchange account including the security identifier (SID) for the account to use for impersonation or delegate access.