-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0050
         Multiple Microsoft exchange server elevation of privilege
                          vulnerabilities patched
                             13 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Microsoft Exchange Server
Operating System:     Windows
Impact/Access:        Administrator Compromise       -- Remote/Unauthenticated
                      Provide Misleading Information -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-0686 CVE-2019-0724 
Member content until: Friday, March 15 2019

OVERVIEW

        Microsoft has released its monthly security patch update for the month of February 2019.
        
        This update resolves 4 vulnerabilities across the following products: [1]
        
         Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 26
         Microsoft Exchange Server 2013 Cumulative Update 22
         Microsoft Exchange Server 2016 Cumulative Update 12
         Microsoft Exchange Server 2019 Cumulative Update 1


IMPACT

        Microsoft has given the following details regarding these vulnerabilities.
        
         Details         Impact                   Severity
              None                     None
              Elevation of Privilege   None
          Elevation of Privilege   Important
          Elevation of Privilege   Important


MITIGATION

        Microsoft recommends updating the software with the version made available on the Microsoft Update Cataloge for the following Knowledge Base articles. [1].
        
        
         KB4471392, KB4471391, KB4487052, KB4345836


REFERENCES

        [1] Security Update Guide
            https://portal.msrc.microsoft.com/en-us/security-guidance

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXGOSw2aOgq3Tt24GAQj9Wg/9FBfl+8n8fh1puosgENDX4/oDiO9gxx5o
cy8K538mpbwif+7glGAxP7NULOZ4VnKc/Yb6ZSfVYgz6NXP4ndzdiD7FYfqpFzf7
mWTdpMyu9Cbyyc+SXH4k8D6h0JfYL3Jp5nz2Ff8JjTZIf95lwuD69MxV5hhVk7J5
EZWIzPdr08uV2Xml25A1IoJHdCxRIfJFekTlrUlOKAi1SzlnwN4lzUvFn3VY1clj
KT2gErhIEKX7lNwGaeeKRASFsqvo51hEDphfh+qbs8ovBQEWQ7IXrz+1fry1icT+
gSoybAHoTUEnc6qf08ZjYngEDNB+IRNUCXZoqYM0qIvmMulu1FN8ED5WRQNUYQ8e
m2SKymkVuzOeD6a+7gfhB+bNQ6t1UBxljkdPi3Wum0dYwdgYf4UbLykXjStoEFfg
khdnVo8NG1oy52W80yJSNcEhr7PnJI4qOHtcLJ+agR6/ke62kBbT6/I+yRtFn9In
Ge8nI+SsYOxFBcC2dtfO5YeGJLnJYb6KQW7HbOHX6aH0bALmfN8LJMyn3aOq0oML
AuyDZiwxqt2+PoaUCDhsXXE5V9OfqlyhWrfLtKC76Y+D70IQXdxu5dlxvEhCjVeq
Z+equ8ujHjccE5KMdVMXiuelunOVG0A93/waY9oT1bGl4Z+rU6uofqrmrhjcE/jk
5BNaV1SyUBE=
=rA/g
-----END PGP SIGNATURE-----