SynopsisThe remote Microsoft Exchange Server is affected by multiple vulnerabilities.
DescriptionThe remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities :
- Multiple remote code execution vulnerabilities exist in the Oracle Outside In libraries. An unauthenticated, remote attacker can exploit these, via a specially crafted email, to execute arbitrary code.
(CVE-2015-6014, CVE-2016-3575, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596)
- An unspecified information disclosure vulnerability exists in the Oracle Outside In libraries that allows an attacker to disclose sensitive information.
- Multiple denial of service vulnerabilities exists in the Oracle Outside In libraries. (CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3590)
- An information disclosure vulnerability exists due to improper parsing of certain unstructured file formats.
An unauthenticated, remote attacker can exploit this, via a crafted email using 'send as' rights, to disclose confidential user information. (CVE-2016-0138)
- An open redirect vulnerability exists due to improper handling of open redirect requests. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to redirect the user to a malicious website that spoofs a legitimate one.
- An elevation of privilege vulnerability exists due to improper handling of meeting invitation requests. An unauthenticated, remote attacker can exploit this, via a specially crafted Outlook meeting invitation request, to gain elevated privileges. (CVE-2016-3379)
SolutionMicrosoft has released a set of patches for Exchange Server 2007, 2010, 2013, and 2016.