How to address Security Scan Vulnerability report related to SQL Server 2016 versions?

techresearch7777777 1,801 Reputation points
2023-10-17T22:36:46.7666667+00:00

Hello, we have the following 2 slightly different specific SQL Server 2016 version in following image:

User's image

We have a Security Scan Vulnerability report which lists the following 3 main columns (TITLE, THREAT, SOLUTION) in following:

TITLE:
Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Multiple Vulnerabilities for October 2023	



THREAT:
"Microsoft has released a security update to addressed a Remote Code Execution Vulnerability in OLE DB and ODBC driver for SQL Server. Both of these are APIs for Microsoft SQL server that provide access to a range of data sources. 

Affected Software: 
Microsoft ODBC Driver 17 for SQL Server on Windows version prior to 17.10.5.1 
Microsoft ODBC Driver 18 for SQL Server on Windows version prior to 18.6.7.0 
Microsoft ODBC Driver 17 for SQL Server on Linux version prior to 17.10.5.1 
Microsoft ODBC Driver 18 for SQL Server on Linux version prior to 18.3.2.1 
Microsoft SQL Server 2022 for x64-based Systems (GDR)  
Microsoft SQL Server 2019 for x64-based Systems (GDR)  
Microsoft SQL Server 2022 for x64-based Systems ( (CU 8))  
Microsoft SQL Server 2019 for x64-based Systems (CU 22)  
Microsoft SQL Server 2017 for x64-based Systems (CU 31) 
Microsoft SQL Server 2017 for x32-based Systems (CU 31) 
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) 
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack 
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4) 
Microsoft SQL Server 2014 Service Pack 3 for x32-based Systems (GDR)
Microsoft OLE DB Driver 19 for SQL Server version prior to 19.3.2.0 
Microsoft OLE DB Driver 18 for SQL Server version prior to 19.3.2.0 

 QID Detection Logic (Authenticated): 
On Windows, this QID checks for the vulnerable version of ODBC and OLE DB via the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft and HKEY_LOCAL_MACHINE\WOW6432Node\SOFTWARE\Microsoft and the related sub keys for ODBC and OLE DB. 
On Linux, this QID checks for the vulnerable version of ODBC based on the installed package."



SOLUTION:
"Customers are advised to refer to CVE-2023-36728 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36728), CVE-2023-36730 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36730), CVE-2023-36420 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36420), CVE-2023-36785 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36785), CVE-2023-36417 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36417), for more information regarding the vulnerabilities and their patches.
 Patch: 
Following are links for downloading patches to fix the vulnerabilities:
  CVE-2023-36728 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36728)  CVE-2023-36730 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36730)  CVE-2023-36420 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36420)  CVE-2023-36785 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36785)  CVE-2023-36417 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36417)"




----



TITLE:
Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Remote Code Execution (RCE) Vulnerabilities for June 2023



THREAT:
"Microsoft has released a security update to addressed a Remote Code Execution Vulnerability in OLE DB and ODBC driver for SQL Server. Both of these are APIs for Microsoft SQL server that provide access to a range of data sources. 

Affected Software: 
Microsoft ODBC Driver 17 for SQL Server on Windows version prior to 17.10.4.1 
Microsoft ODBC Driver 18 for SQL Server on Windows version prior to 18.2.2.1 
Microsoft ODBC Driver 17 for SQL Server on Linux version prior to 17.10.4.1 
Microsoft ODBC Driver 18 for SQL Server on Linux version prior to 18.2.2 
Microsoft SQL Server 2022 for x64-based Systems (CU 5)  
Microsoft SQL Server 2019 for x64-based Systems (CU 21)  
Microsoft OLE DB Driver 19 for SQL Server version prior to 19.3.1 
Microsoft OLE DB Driver 18 for SQL Server version prior to 18.6.6 

 QID Detection Logic (Authenticated): 
On Windows, this QID checks for the vulnerable version of ODBC and OLE DB via the registry keys ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft"" and ""HKEY_LOCAL_MACHINE\WOW6432Node\SOFTWARE\Microsoft"" and the related sub keys for ODBC and OLE DB. 
On Linux, this QID checks for the vulnerable version of ODBC based on the installed package."



SOLUTION:
"Customers are advised to refer to CVE-2023-32027 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027), CVE-2023-32025 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025), CVE-2023-32026 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026), CVE-2023-29356 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356), CVE-2023-32028 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028), and CVE-2023-29349 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349) for more information regarding the vulnerabilities and their patches.
 Patch: 
Following are links for downloading patches to fix the vulnerabilities:
  CVE-2023-32027 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027)  CVE-2023-32025 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025)  CVE-2023-32026 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026)  CVE-2023-29356 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356)  CVE-2023-32028 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028)  CVE-2023-29349 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349)"



----


This seems to be confusing so my question is what needs to be done to address our 2 different types of SQL Server 2016 specific versions?

Can it be done through the Windows Server O.S. updates or need to manually download/install something or something else?

Thanks in advance.
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,895 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. PercyTang-MSFT 12,426 Reputation points Microsoft Vendor
    2023-10-18T02:14:35.35+00:00

    Hi @techresearch7777777

    You can try the solutions you posted.

    I think the solutions are already clear.

    Best regards,

    Percy Tang