Microsoft has released a security update to addressed a Remote Code Execution Vulnerability in OLE DB and ODBC driver for SQL Server.

Question

Microsoft has released a security update to addressed a Remote Code Execution Vulnerability in OLE DB and ODBC driver for SQL Server.

techresearch7777777 1,981

Hello we have a security scan vulnerability report and this recently showed up:

"Microsoft has released a security update to addressed a Remote Code Execution Vulnerability in OLE DB and ODBC driver for SQL Server. Both of these are APIs for Microsoft SQL server that provide access to a range of data sources.

Affected Software:
Microsoft ODBC Driver 17 for SQL Server on Windows version prior to 17.10.4.1
Microsoft ODBC Driver 18 for SQL Server on Windows version prior to 18.2.2.1
Microsoft ODBC Driver 17 for SQL Server on Linux version prior to 17.10.4.1
Microsoft ODBC Driver 18 for SQL Server on Linux version prior to 18.2.2
Microsoft SQL Server 2022 for x64-based Systems (CU 5)
Microsoft SQL Server 2019 for x64-based Systems (CU 21)
Microsoft OLE DB Driver 19 for SQL Server version prior to 19.3.1
Microsoft OLE DB Driver 18 for SQL Server version prior to 18.6.6

QID Detection Logic (Authenticated):
On Windows, this QID checks for the vulnerable version of ODBC and OLE DB via the registry keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft" and "HKEY_LOCAL_MACHINE\WOW6432Node\SOFTWARE\Microsoft" and the related sub keys for ODBC and OLE DB.
On Linux, this QID checks for the vulnerable version of ODBC based on the installed package."

When I run SELECT @@VERSION; on above message the SQL Sever version as follows:

Microsoft SQL Server 2016 (SP3-GDR) (KB5021129) - 13.0.6430.49 (X64) Jan 22 2023 17:38:22 Copyright (c) Microsoft Corporation Standard Edition (64-bit)

What needs to be done to address this...(download & run a specific SQL Server Cumulative Update or Service Pack) ?

Thanks in advance.

Efrain Ramirez Fiserv 0 Reputation points

2023-07-10T13:14:43.0066667+00:00

I have multiple instances of SQL installed, 2016 and 2019. Do you run the install or are you required to uninstall older versions? I want to remove older versions to satisfy security concerns.

2 answers

Your answer

Efrain Ramirez Fiserv 0 Reputation points

2023-07-10T13:14:43.0066667+00:00

I have multiple instances of SQL installed, 2016 and 2019. Do you run the install or are you required to uninstall older versions? I want to remove older versions to satisfy security concerns.

Answer 1

Yitzhak Khabinsky 26,486

Hi @techresearch7777777,

What needs to be done to address this...(download & run a specific SQL Server Cumulative Update or Service Pack) ?

It is all about drivers only. So, you need to download and install their latest versions. For example, Microsoft OLEDB Driver could be downloaded here:

https://learn.microsoft.com/en-us/sql/connect/oledb/release-notes-for-oledb-driver-for-sql-server?view=sql-server-ver16#previous-releases

techresearch7777777 1,981 Reputation points

2023-06-20T17:34:53.7266667+00:00

Thanks Yitzhak Khabinsky for your reply, really appreciate it.

Am running one VM on Windows Server 2016 and another VM running Windows Server 2012...how would I know what and which versions to download?

I'm a bit confused that the message mentions ODBC Driver but you mentioned OLEDB Driver?

Sincerely.
Yitzhak Khabinsky 26,486 Reputation points

2023-06-20T17:53:26.1666667+00:00
@techresearch7777777,

It seems that your Microsoft SQL Server 2016 is not affected ?! At least, it is not mentioned in the Affected Software list.

Your question contains registry locations to navigate and check the currently installed driver versions.

Answer 2

ZoeHui-MSFT 41,446

Hi @techresearch7777777,

You may also check it out below.

Update: Hotfixes released for ODBC and OLE DB drivers for SQL Server

Regards，

Zoe Hui

If the answer is helpful, please click "Accept Answer" and upvote it.

techresearch7777777 1,981 Reputation points

2023-06-21T07:07:24.4566667+00:00

Thanks ZoeHui-MSFT

But when I click on your link I get the following:

502 Bad Gateway

Microsoft-Azure-Application-Gateway/v2

techresearch7777777 1,981

Ok I tried again and the web page now shows up.

Next steps

For Windows installations, you can directly download the packages:

    Microsoft ODBC Driver 17.10.4 for SQL Server (download)
    Microsoft ODBC Driver 18.2.2 for SQL Server (download)
    Microsoft OLE DB Driver 18.6.6 for SQL Server (download)
    Microsoft OLE DB Driver 19.3.1 for SQL Server (download)

With so many downloads would I need to download and install all of them onto just one VM Windows Server?

Share via

Microsoft has released a security update to addressed a Remote Code Execution Vulnerability in OLE DB and ODBC driver for SQL Server.

2 answers

Your answer