This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 45%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello, we have the following 2 slightly different specific SQL Server 2016 version in following image:
We have a Security Scan Vulnerability report which lists the following 3 main columns (TITLE, THREAT, SOLUTION) in following:
TITLE:
Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Multiple Vulnerabilities for October 2023
THREAT:
"Microsoft has released a security update to addressed a Remote Code Execution Vulnerability in OLE DB and ODBC driver for SQL Server. Both of these are APIs for Microsoft SQL server that provide access to a range of data sources.
Affected Software:
Microsoft ODBC Driver 17 for SQL Server on Windows version prior to 17.10.5.1
Microsoft ODBC Driver 18 for SQL Server on Windows version prior to 18.6.7.0
Microsoft ODBC Driver 17 for SQL Server on Linux version prior to 17.10.5.1
Microsoft ODBC Driver 18 for SQL Server on Linux version prior to 18.3.2.1
Microsoft SQL Server 2022 for x64-based Systems (GDR)
Microsoft SQL Server 2019 for x64-based Systems (GDR)
Microsoft SQL Server 2022 for x64-based Systems ( (CU 8))
Microsoft SQL Server 2019 for x64-based Systems (CU 22)
Microsoft SQL Server 2017 for x64-based Systems (CU 31)
Microsoft SQL Server 2017 for x32-based Systems (CU 31)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4)
Microsoft SQL Server 2014 Service Pack 3 for x32-based Systems (GDR)
Microsoft OLE DB Driver 19 for SQL Server version prior to 19.3.2.0
Microsoft OLE DB Driver 18 for SQL Server version prior to 19.3.2.0
QID Detection Logic (Authenticated):
On Windows, this QID checks for the vulnerable version of ODBC and OLE DB via the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft and HKEY_LOCAL_MACHINE\WOW6432Node\SOFTWARE\Microsoft and the related sub keys for ODBC and OLE DB.
On Linux, this QID checks for the vulnerable version of ODBC based on the installed package."
SOLUTION:
"Customers are advised to refer to CVE-2023-36728 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36728), CVE-2023-36730 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36730), CVE-2023-36420 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36420), CVE-2023-36785 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36785), CVE-2023-36417 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36417), for more information regarding the vulnerabilities and their patches.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
CVE-2023-36728 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36728) CVE-2023-36730 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36730) CVE-2023-36420 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36420) CVE-2023-36785 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36785) CVE-2023-36417 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36417)"
----
TITLE:
Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Remote Code Execution (RCE) Vulnerabilities for June 2023
THREAT:
"Microsoft has released a security update to addressed a Remote Code Execution Vulnerability in OLE DB and ODBC driver for SQL Server. Both of these are APIs for Microsoft SQL server that provide access to a range of data sources.
Affected Software:
Microsoft ODBC Driver 17 for SQL Server on Windows version prior to 17.10.4.1
Microsoft ODBC Driver 18 for SQL Server on Windows version prior to 18.2.2.1
Microsoft ODBC Driver 17 for SQL Server on Linux version prior to 17.10.4.1
Microsoft ODBC Driver 18 for SQL Server on Linux version prior to 18.2.2
Microsoft SQL Server 2022 for x64-based Systems (CU 5)
Microsoft SQL Server 2019 for x64-based Systems (CU 21)
Microsoft OLE DB Driver 19 for SQL Server version prior to 19.3.1
Microsoft OLE DB Driver 18 for SQL Server version prior to 18.6.6
QID Detection Logic (Authenticated):
On Windows, this QID checks for the vulnerable version of ODBC and OLE DB via the registry keys ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft"" and ""HKEY_LOCAL_MACHINE\WOW6432Node\SOFTWARE\Microsoft"" and the related sub keys for ODBC and OLE DB.
On Linux, this QID checks for the vulnerable version of ODBC based on the installed package."
SOLUTION:
"Customers are advised to refer to CVE-2023-32027 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027), CVE-2023-32025 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025), CVE-2023-32026 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026), CVE-2023-29356 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356), CVE-2023-32028 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028), and CVE-2023-29349 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349) for more information regarding the vulnerabilities and their patches.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
CVE-2023-32027 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027) CVE-2023-32025 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025) CVE-2023-32026 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026) CVE-2023-29356 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356) CVE-2023-32028 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028) CVE-2023-29349 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349)"
----
This seems to be confusing so my question is what needs to be done to address our 2 different types of SQL Server 2016 specific versions?
Can it be done through the Windows Server O.S. updates or need to manually download/install something or something else?
Thanks in advance.
You can try the solutions you posted.
I think the solutions are already clear.
Best regards,
Percy Tang
Thanks PercyTang for your reply. The following Update was bundled within recent Microsoft's Windows Updates and was applied getting our SQL Servers 2016 up to that build:
"Oct 10, 2023
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR)
-
Denial of Service
Important
5029186
Security Update
13.0.6435.1"
But am confused about the portions that mentions ODBC & OLE DB Drivers. Would I need to download/install each of those multiple drivers manually and if yes which ones?
Aren't those already pre-built in on the Windows O.S. level which I would think the Windows Updates would include them?...is this a new extra task for a SQL Server DBA need to do?
I'm not familiar with this type of updating ODBC & OLE DB Drivers and never had to do in the past.
Hello am still scratching my head on this ODBC & OLE DB Drivers portion Security Updates.
Within our SQL Servers we do have Linked Servers connecting to other SQL Servers (Linked Server Properties -> Provider = "Microsoft OLE DB for SQL Server" on each Linked Server.
How do I know which version of ODBC & OLE are installed on the server?
And if I need to download/install each Driver Security Update can I just run October 2023 which will cover June 2023 and/or do I need to uninstall old one first or something else?
Thanks in advance.