April, 2021: Patch Tuesday: Critical Exchange Updates

Welcome to this April Patch Tuesday Bulletin. This month we have 114 unique CVE’s across 7 technologies, 3 technologies with critical vulnerabilities, 3 vulnerabilities publicly disclosed, and 1 vulnerability exploited in the wild. The big news this month is patching Exchange. None of the exchange vulnerabilities listed were publicly disclosed or exploited but they were all assessed as “Exploitation More Likely” and the NSA and Microsoft are urging users to patch. Microsoft states that customers should install patches as soon as possible given the recent adversary focus on Exchange. CVE-2021-28310 is an elevation of privilege vulnerability affecting Windows and was shown to be exploited in the wild so make sure this is a priority. CVE-2021-27091, CVE-2021-28312, and CVE-2021-28437 were all publicly disclosed but were rated as less likely to be exploited. Make sure these are addressed following the Exchange updates. Chromium-based Edge follows the Google Chrome release and uses Google’s release information for severity and vulnerability info.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of MS patches this month.

Patch data provided by:

Technology

Products Affected

Severity

Reference

Workaround/ Exploited

Vulnerability Info

Edge

Chromium-Based

High

CVE-2021-21194

CVE-2021-21195

CVE-2021-21196

CVE-2021-21197

CVE-2021-21198

CVE-2021-21199

*Workaround: No

**Public: No

Exploited: No

Use After Free

Heap Buffer Overflow

Out of Bound Read

Visual Studio

Visual Studio 2015, 2017, 2019

Team Foundation Server 2015, 2017, 2018

Visual Studio Code, GitHub Pull Requests and Issues Extension, Kubernetes Tools, Maven for Java Extension

Python Extension for Visual Studio Code

Important

CVE-2020-17163

CVE-2021-27064

CVE-2021-27067

CVE-2021-28313

CVE-2021-28321

CVE-2021-28322

CVE-2021-28448

CVE-2021-28457

CVE-2021-28469

CVE-2021-28470

CVE-2021-28471

CVE-2021-28472

CVE-2021-28473

CVE-2021-28475

CVE-2021-28477

*Workaround: No

**Public: No

Exploited: No

Elevation of Privilege

Information Disclosure

Remote Code Execution

Azure DevOps

Azure DevOps Server 2019, 2020

Important

CVE-2021-27067

CVE-2021-28459

*Workaround: No

**Public: No

Exploited: No

Information Disclosure

Spoofing

Exchange Server

Exchange Server 2013, 2016, 2019

Critical

CVE-2021-28480

CVE-2021-28481

CVE-2021-28482

CVE-2021-28483

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Azure

Azure Sphere

Critical

CVE-2021-28460

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Office

365 Apps for Enterprise

Excel 2010, 2013, 2016

Office 2010, 2013, 2016, 2019, Online Server

Office Web Apps 2010, Sever 2013

Outlook 2010, 2013, 2016

SharePoint Enterprise Server 2013, 2016

SharePoint Foundation 2010

SharePoint Server 2010, 2019

Word 2010, 2013, 2016

Important

CVE-2021-28449

CVE-2021-28450

CVE-2021-28451

CVE-2021-28452

CVE-2021-28453

CVE-2021-28454

CVE-2021-28456

*Workaround: No

**Public: No

Exploited: No

Denial of Service

Information Disclosure

Remote Code Execution

Windows

Windows 8.1, RT 8.1, 10

Server 2012, 2016, 2019

Critical

CVE-2021-26413

CVE-2021-26415

CVE-2021-26416

CVE-2021-26417

CVE-2021-27072

CVE-2021-27079

CVE-2021-27086

CVE-2021-27088

CVE-2021-27089

CVE-2021-27090

CVE-2021-27091**

CVE-2021-27092

CVE-2021-27093

CVE-2021-27094

CVE-2021-27095

CVE-2021-27096

CVE-2021-28309

CVE-2021-28310

CVE-2021-28311

CVE-2021-28312**

CVE-2021-28313

CVE-2021-28314

CVE-2021-28315

CVE-2021-28316

CVE-2021-28317

CVE-2021-28318

CVE-2021-28319

CVE-2021-28320

CVE-2021-28321

CVE-2021-28322

CVE-2021-28323

CVE-2021-28324

CVE-2021-28325

CVE-2021-28326

CVE-2021-28327

CVE-2021-28328

CVE-2021-28329

CVE-2021-28330

CVE-2021-28331

CVE-2021-28332

CVE-2021-28333

CVE-2021-28334

CVE-2021-28335

CVE-2021-28336

CVE-2021-28337

CVE-2021-28338

CVE-2021-28339

CVE-2021-28340

CVE-2021-28341

CVE-2021-28342

CVE-2021-28343

CVE-2021-28344

CVE-2021-28345

CVE-2021-28346

CVE-2021-28347

CVE-2021-28348

CVE-2021-28349

CVE-2021-28350

CVE-2021-28351

CVE-2021-28352

CVE-2021-28353

CVE-2021-28354

CVE-2021-28355

CVE-2021-28356

CVE-2021-28357

CVE-2021-28358

CVE-2021-28434

CVE-2021-28435

CVE-2021-28436

CVE-2021-28437**

CVE-2021-28438

CVE-2021-28439

CVE-2021-28440

CVE-2021-28441

CVE-2021-28442

CVE-2021-28443

CVE-2021-28444

CVE-2021-28445

CVE-2021-28446

CVE-2021-28447

CVE-2021-28464

CVE-2021-28466

CVE-2021-28468

*Workaround: No

**Public: Yes

Exploited: Yes

Denial of Service

Elevation of Privilege

Information Disclosure

Remote Code Execution

Security Feature Bypass

Spoofing