Microsoft Security Advisory ADV190007 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007) indicates a workaround to address "PrivExchange" Elevation of Privilege Vulnerability. The suggested Microsoft workaround (setting a Throttling Policy for EWSMaxSubscriptions with a value of zero) would have an adverse effect on the Cisco Webex Hybrid Calendar Service.
Workaround for Microsoft Security Advisory ADV190007 impacts the Hybrid Calendar Service
Problems with Hybrid Calendar Service Due to Microsoft Security Advisory ADV1900007
Microsoft Security Advisory ADV190007 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007) indicates a workaround to address "PrivExchange" Elevation of Privilege Vulnerability. The suggested Microsoft workaround (setting a Throttling Policy for EWSMaxSubscriptions with a value of zero) would have an adverse effect on the Cisco Webex Hybrid Calendar Service.
The effects may include the following:
- Users may not see meeting updates, and so @webex/@meet could not get processed
- One Button to Push (OBTP) and meeting list entries may not appear
To address the vulnerability without impacting the Hybrid Calendar Service, apply the appropriate Security Update for your version of Microsoft Exchange Server as listed in https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007.
The Hybrid Calendar Service uses streaming notifications rather than push notifications where the vulnerability lies. However, the workaround has a broader impact than just push notifications.
