Microsoft Exchange Serverには、表示名に印字できない文字を含むエンティティの作成を許可する場合、情報が漏洩する脆弱性が存在します。
【対象】
Mail and Calendar
Microsoft Exchange Server 2010 SP3
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 12
Microsoft Exchange Server 2016 Cumulative Update 13
Microsoft Exchange Server 2019 Cumulative Update 1
Microsoft Exchange Server 2019 Cumulative Update 2
Microsoft Lync 2013 SP1 (32-bit)
Microsoft Lync 2013 SP1 (64-bit)
Microsoft Lync Basic 2013 SP1 (32-bit)
Microsoft Lync Basic 2013 SP1 (64-bit)
Microsoft Office 2013 RT SP1
Microsoft Office 2013 SP1 (32-bit editions)
Microsoft Office 2013 SP1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Outlook 2010 SP2 (32-bit editions)
Microsoft Outlook 2010 SP2 (64-bit editions)
Microsoft Outlook 2013 SP1 (32-bit editions)
Microsoft Outlook 2013 SP1 (64-bit editions)
Microsoft Outlook 2016 (32-bit edition)
Microsoft Outlook 2016 (64-bit edition)
Microsoft Outlook for Android
Microsoft Outlook for iOS
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
Skype for Business 2016 (32-bit)
Skype for Business 2016 (64-bit)
Skype for Business 2016 Basic (32-bit)
Skype for Business 2016 Basic (64-bit)
【対策】
ベンダより対策方法が公開されています。公開された情報を参照し、対策を行ってください。
【参考情報】
Microsoft
CVE-2019-1084
引用元:https://jvndb.jvn.jp/ja/contents/2019/JVNDB-2019-006629.html
※情報は公開時点のものです。