This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 65%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
CVE-2021-1636 description: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Path within file matching detected library:
/Program Files/Microsoft SQL Server/MSSQL.X/MSSQL/Binn/sqllang.dll
/Program Files/Microsoft SQL Server/MSSQL.X/MSSQL/Binn/sqlmin.dll
In the below link we have the SQL Server with security updates,
but how do we get to know which SQL Server version has fix for it since all version addressed the same vulnerability?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1636
Steps to Reproduce: - Run a security scan using security scanning tool.
Please let me know if there is any patch present for SQL Server 2019 express which has a fix for this vulnerability.
Why don't you simply look it up on your own?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1636
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 46%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi DKHarini-7698,
It has been fixed in the KB4583458 – the security update for SQL Server 2019 GDR and KB4583459 - the security update for SQL Server 2019 CU8.
Best Regards,
Amelia
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Well, it is listed in the document you link to....
But apart from that, download and install the most recent Cumulative Update for SQL 2019 which is CU14, and you should be fine.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 23%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAI%3C/text%3E%3C/svg%3E)
Hi @Erland Sommarskog ,
In My project , By downloading and installing the recent cumulative update for SQL 2019 - KB5007182 (https://www.microsoft.com/en-us/download/details.aspx?id=100809) , vulnerability CVE-2021-1636 got fixed . But this patch is causing following vulnerabilities with respect to libraries like
Can you please provide any information on this..........?
Not sure why you are addressing me. Or you why you piggyback on an old thread. Or for that matter I am not sure that I understand the question at all.
I suggest that you start a new thread, describing your problem from start to end.
Okay Sure will start new thread . Sorry , Since I actually followed this thread to fix vulnerability on SQLServer2019 and updated the patch, asked in the same thread, Nothing else .