Security scan on sql_server_2019_express_x64_ENU.exe identified a vulnerability CVE-2021-1636

D K, Harini 1 Reputation point
2021-11-24T08:49:46.723+00:00

CVE-2021-1636 description: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Path within file matching detected library:
/Program Files/Microsoft SQL Server/MSSQL.X/MSSQL/Binn/sqllang.dll
/Program Files/Microsoft SQL Server/MSSQL.X/MSSQL/Binn/sqlmin.dll

In the below link we have the SQL Server with security updates,
but how do we get to know which SQL Server version has fix for it since all version addressed the same vulnerability?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1636

Steps to Reproduce: - Run a security scan using security scanning tool.

Please let me know if there is any patch present for SQL Server 2019 express which has a fix for this vulnerability.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,281 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Olaf Helper 38,941 Reputation points
    2021-11-24T09:27:31.52+00:00

    Why don't you simply look it up on your own?

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1636

    0 comments No comments

  2. AmeliaGu-MSFT 13,956 Reputation points Microsoft Vendor
    2021-11-24T09:36:22.747+00:00

    Hi DKHarini-7698,

    It has been fixed in the KB4583458 – the security update for SQL Server 2019 GDR and KB4583459 - the security update for SQL Server 2019 CU8.

    Best Regards,
    Amelia


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments No comments

  3. Erland Sommarskog 99,071 Reputation points
    2021-11-24T22:57:42.937+00:00

    Well, it is listed in the document you link to....

    But apart from that, download and install the most recent Cumulative Update for SQL 2019 which is CU14, and you should be fine.