Issue with ODBC failure after Windows patch to address CVE-2022-41047 was installed?

Question

After installing Windows patch related to "CVE-2022-41047 - Security Update Guide - Microsoft - Microsoft ODBC Driver Remote Code Execution Vulnerability (8-Nov-2022)", a failure (below) is seen.

Failed to convert SQL_FLOAT (this is from the application)
DB_InitPriv failedODBC Failure. odbc_retcode=-1, sqlstate=HY000, native_error=0:
sqlmsg=[Microsoft][ODBC SQL Server Driver]Unknown token received from SQL Server

We see the issue with our software version that is using the ODBC driver named 'SQL Server' associated with the file SQLSVR32.dll as seen in ODBC Drivers. Is this equivalent to ODBC 10 or something like that old version of ODBC? We don't see it with at ODBC 13 and up.

We suspect older ODBC driver version has an issue with the new Windows security patch. Is that a known issue and is there a workaround? Is SQLSVR32.dll driver end-of-life?

thanks.

Answer 1

Hi @Partha Sinha ，

ODBC 10 was released with SQL Server 2008, it is too old
SNAC lifecycle explained
Support Policies for SQL Server Native Client

As you said, for higher version of ODBC, this error will not happen.

It is recommended to use the latest version of ODBC (17 or 18), if you really need to use ODBC 10, then you may need to uninstall this patch

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.