Security scan on sql_server_2019_express_x64_ENU.exe identified a vulnerability CVE-2021-1636

D K, Harini 1 Reputation point
2021-11-24T08:49:46.723+00:00

CVE-2021-1636 description: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Path within file matching detected library:
/Program Files/Microsoft SQL Server/MSSQL.X/MSSQL/Binn/sqllang.dll
/Program Files/Microsoft SQL Server/MSSQL.X/MSSQL/Binn/sqlmin.dll

In the below link we have the SQL Server with security updates,
but how do we get to know which SQL Server version has fix for it since all version addressed the same vulnerability?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1636

Steps to Reproduce: - Run a security scan using security scanning tool.

Please let me know if there is any patch present for SQL Server 2019 express which has a fix for this vulnerability.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
8,505 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Olaf Helper 25,726 Reputation points
    2021-11-24T09:27:31.52+00:00

    Why don't you simply look it up on your own?

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1636

    No comments

  2. AmeliaGu-MSFT 13,881 Reputation points
    2021-11-24T09:36:22.747+00:00

    Hi DKHarini-7698,

    It has been fixed in the KB4583458 – the security update for SQL Server 2019 GDR and KB4583459 - the security update for SQL Server 2019 CU8.

    Best Regards,
    Amelia


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    No comments

  3. Erland Sommarskog 67,721 Reputation points Microsoft MVP
    2021-11-24T22:57:42.937+00:00

    Well, it is listed in the document you link to....

    But apart from that, download and install the most recent Cumulative Update for SQL 2019 which is CU14, and you should be fine.