ADV190007 issued by Microsoft (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007) in reference to the “PrivExchange” Elevation of Privilege vulnerability is described below as a possible workaround. It would be a terrible event for Cisco Webex Hybrid Calendar Service if the suggested Microsoft workaround (hovering a Throttling Policy for EWSMaxSubscriptions within a range of zero) were implemented.

Workaround for Microsoft Security Advisory ADV190007 impacts the Hybrid Calendar Service

Problems with Hybrid Calendar Service Due to Microsoft Security Advisory ADV1900007

There is a workaround available to address the issue described in Microsoft Security Advisory ADV190007 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007) that addresses the “PrivExchange” Elevation of Privilege vulnerability. The suggested workaround from Microsoft (setting the Throttling Policy for EWSMaxSubscriptions to zero) would have a negative impact on the Cisco Webex Hybrid Calendar Service due to a potential adverse effect on network performance.

There may be a number of effects associated with this condition, including:

• There may be a problem where users are unable to see meeting updates, which leads to @webex/@meet not processing

• You may not be able to see entries from One Button to Push (OBTP) or the meeting list

It is recommended that you apply the appropriate Security Update to your version of Microsoft Exchange Server in order to address the vulnerability without impacting the Hybrid Calendar Service. You can find the security update at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV19007.

A vulnerability exists in the Hybrid Calendar Service due to the fact that streaming notifications are used instead of push notifications. Although the workaround is meant to address push notifications as a whole, there are a lot of other benefits as well.