You can try the solutions you posted.
I think the solutions are already clear.
Best regards,
Percy Tang
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello, we have the following 2 slightly different specific SQL Server 2016 version in following image:
We have a Security Scan Vulnerability report which lists the following 3 main columns (TITLE, THREAT, SOLUTION) in following:
TITLE:
Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Multiple Vulnerabilities for October 2023
THREAT:
"Microsoft has released a security update to addressed a Remote Code Execution Vulnerability in OLE DB and ODBC driver for SQL Server. Both of these are APIs for Microsoft SQL server that provide access to a range of data sources.
Affected Software:
Microsoft ODBC Driver 17 for SQL Server on Windows version prior to 17.10.5.1
Microsoft ODBC Driver 18 for SQL Server on Windows version prior to 18.6.7.0
Microsoft ODBC Driver 17 for SQL Server on Linux version prior to 17.10.5.1
Microsoft ODBC Driver 18 for SQL Server on Linux version prior to 18.3.2.1
Microsoft SQL Server 2022 for x64-based Systems (GDR)
Microsoft SQL Server 2019 for x64-based Systems (GDR)
Microsoft SQL Server 2022 for x64-based Systems ( (CU 8))
Microsoft SQL Server 2019 for x64-based Systems (CU 22)
Microsoft SQL Server 2017 for x64-based Systems (CU 31)
Microsoft SQL Server 2017 for x32-based Systems (CU 31)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4)
Microsoft SQL Server 2014 Service Pack 3 for x32-based Systems (GDR)
Microsoft OLE DB Driver 19 for SQL Server version prior to 19.3.2.0
Microsoft OLE DB Driver 18 for SQL Server version prior to 19.3.2.0
QID Detection Logic (Authenticated):
On Windows, this QID checks for the vulnerable version of ODBC and OLE DB via the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft and HKEY_LOCAL_MACHINE\WOW6432Node\SOFTWARE\Microsoft and the related sub keys for ODBC and OLE DB.
On Linux, this QID checks for the vulnerable version of ODBC based on the installed package."
SOLUTION:
"Customers are advised to refer to CVE-2023-36728 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36728), CVE-2023-36730 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36730), CVE-2023-36420 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36420), CVE-2023-36785 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36785), CVE-2023-36417 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36417), for more information regarding the vulnerabilities and their patches.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
CVE-2023-36728 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36728) CVE-2023-36730 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36730) CVE-2023-36420 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36420) CVE-2023-36785 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36785) CVE-2023-36417 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36417)"
----
TITLE:
Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Remote Code Execution (RCE) Vulnerabilities for June 2023
THREAT:
"Microsoft has released a security update to addressed a Remote Code Execution Vulnerability in OLE DB and ODBC driver for SQL Server. Both of these are APIs for Microsoft SQL server that provide access to a range of data sources.
Affected Software:
Microsoft ODBC Driver 17 for SQL Server on Windows version prior to 17.10.4.1
Microsoft ODBC Driver 18 for SQL Server on Windows version prior to 18.2.2.1
Microsoft ODBC Driver 17 for SQL Server on Linux version prior to 17.10.4.1
Microsoft ODBC Driver 18 for SQL Server on Linux version prior to 18.2.2
Microsoft SQL Server 2022 for x64-based Systems (CU 5)
Microsoft SQL Server 2019 for x64-based Systems (CU 21)
Microsoft OLE DB Driver 19 for SQL Server version prior to 19.3.1
Microsoft OLE DB Driver 18 for SQL Server version prior to 18.6.6
QID Detection Logic (Authenticated):
On Windows, this QID checks for the vulnerable version of ODBC and OLE DB via the registry keys ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft"" and ""HKEY_LOCAL_MACHINE\WOW6432Node\SOFTWARE\Microsoft"" and the related sub keys for ODBC and OLE DB.
On Linux, this QID checks for the vulnerable version of ODBC based on the installed package."
SOLUTION:
"Customers are advised to refer to CVE-2023-32027 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027), CVE-2023-32025 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025), CVE-2023-32026 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026), CVE-2023-29356 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356), CVE-2023-32028 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028), and CVE-2023-29349 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349) for more information regarding the vulnerabilities and their patches.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
CVE-2023-32027 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027) CVE-2023-32025 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025) CVE-2023-32026 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026) CVE-2023-29356 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356) CVE-2023-32028 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028) CVE-2023-29349 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349)"
----
This seems to be confusing so my question is what needs to be done to address our 2 different types of SQL Server 2016 specific versions?
Can it be done through the Windows Server O.S. updates or need to manually download/install something or something else?
Thanks in advance.
You can try the solutions you posted.
I think the solutions are already clear.
Best regards,
Percy Tang