Microsoft announces the deprecation of Oracle's libraries in Exchange Server

ADV24199947

Released: Mar 12, 2024

Summary

Microsoft is announcing the deprecation of the use of the Oracle Outside In libraries (also known as OutsideInModule or OIT) in Microsoft Exchange Server.  This will be a three-phase deprecation process.
  • The first phase will be to disable Oracle's Outside In Technology (OIT) for all file types.
  • The second phase will introduce a modern in-house file scanning solution to replace Oracle's Outside In Technology, which was already blocked during the first phase.
  • The third phase will completely remove the OIT code from Exchange Server.
During the first phase, available by installing the March 2024 Security Update listed in the Security Updates table, two things will happen:
  1. The OIT libraries in Exchange Server will be updated to the latest available version (8.5.7), which addresses some of the known vulnerabilities that are documented here.
  2. While not removed from the code, the OIT module is not used to scan any file types by default and instead, alternative file scanning modules will be used, which support scanning of most of the file types that are documented. (See Supported file types for transport rule content inspection)
While not recommended, customers can also re-enable OIT for selected file types, if needed. The steps to do this can be found in the documentation of the script that was released together with the March 2024 Security Update.

For the second phase, in Exchange Server 2019 Cumulative Update 15, Microsoft will introduce an improved (modern), in-house file scanning solution, which will be used by default.

In the third phase, we plan to fully remove the remaining components of the OIT code with a later Exchange Server update. This three-phase deprecation process is necessary because updating the Exchange Server code to remove the OIT and implement a new solution is complex and takes time.

Release Date

Product

Article

Supercedence

Download

Build Number

Mar 12, 2024

Microsoft Exchange Server 2016 Cumulative Update 23

5030877

Security Update

 

15.01.2507.037

Mar 12, 2024

Microsoft Exchange Server 2019 Cumulative Update 13

5030877

Security Update

15.02.1258.032

Mar 12, 2024

Microsoft Exchange Server 2019 Cumulative Update 14

5030877

Security Update

15.02.1544.009


Acknowledgements
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. 

MSRC thanks Ali Ahmad of Atredis Partners with Brandon Perry of Atredis Partners for working with Microsoft to help protect customers.

Version 

Version Date 

Description 

1.0 

Mar 12, 2024 

Information published. 

1.1

Apr 15, 2024 

Added acknowledgements


How satisfied are you with the MSRC Security Update Guide?