Microsoft Security Advisory Exchange/Sharepoint
Last updated on: September 7, 2020
Johannes Ulrich from SANS pointed out the US-CERT has a list of 30 other vendors including many industry heavyweights such as Cisco, IBM, McAfee, Symantec, etc that use the Oracle library. All of the affected vendors should evaluate the impact on their softwares and if affecting the security of their users issue an update.
In what is probably an industry first, Microsoft released Security Advisory 2737111 saying that certain Exchange and Sharepoint versions are affected by a recent vulnerability in a library that they license from Oracle.
A blog post explaining Security Advisory 2737111 spells out the details and recommends the following workarounds:
- Exchange: Turn off WebReady document viewing under OWA
- Sharepoint: Disable the Advanced Filter Pack
Both workarounds have limited impacts on your users, but we nevertheless recommend their implementation. After all the vulnerability introduced in Exchange allows remote code execution on the Exchange server if a client looks at a malicious document using OWA.