Security scan on SQLServer2019-KB5007182-x64.exe Cumulative patch on sql_server_2019_express_x64_ENU.exe identified vulnerable libraries

A, Indupriya 1 Reputation point
2022-03-04T05:40:14.94+00:00

In My project , By downloading and installing the recent cumulative update for SQL 2019 - KB5007182 (https://www.microsoft.com/en-us/download/details.aspx?id=100809) , vulnerability CVE-2021-1636 got fixed . But this patch is causing following vulnerabilities with respect to libraries like

json-smart : CVE-2021-27568 , CVE-2021-31684

library kryo version : BDSA-2016-1151

library Apache Thrift version : BDSA-2021-0373 , CVE-2015-3254 , CVE-2016-5397 , CVE-2018-1320 , CVE-2019-0205

library Apache Hadoop version : CVE-2020-9492

library zlib version : BDSA-2016-1107,BDSA-2016-1108,BDSA-2016-1109,BDSA-2016-1110

library Cyrus SASL version : BDSA-2022-0532 , CVE-2013-4122 , CVE-2019-19906

library curl version : BDSA-2020-1933,BDSA-2020-3058,BDSA-2021-0018,BDSA-2021-0021,BDSA-2021-0022,BDSA-2022-0504,CVE-2020-8169,CVE-2020-8177,CVE-2020-8231,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286,CVE-2021-22876,CVE-2021-22890,CVE-2021-22897,CVE-2021-22898,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925,CVE-2021-22926,CVE-2021-22946,CVE-2021-22947

library ODataLib for OData version : CVE-2018-8269

library Data Mapper for Jackson version : CVE-2019-10172

library JamesNK/Newtonsoft.Json version : BDSA-2018-5195

library System.Net.Security version : CVE-2017-0247,CVE-2017-0248,CVE-2017-0249,CVE-2017-0256.

ICU for C/C++ (ICU4C) version: CVE-2020-21913

Can you please provide any information on this..........?

SQL Server | Other
{count} votes

2 answers

Sort by: Most helpful
  1. CathyJi-MSFT 22,396 Reputation points Microsoft External Staff
    2022-03-09T03:24:20.717+00:00

    Hi @A, Indupriya ,

    >No i have not applied any patch for CU14. The above are the vulnerabilities are coming from CU14 which i have for SQL 2019

    If so, the latest CU for SQL 2019 is CU15, please apply CU15 for SQL 2019. You can get CU15 from below link.

    Cumulative Update Package 15 for SQL Server 2019 - KB5008996

    Please follow below steps;
    1.Download CU15 from above link.
    2.Install CU15 package as administrator.

    If it still not work, please feel free to let me know.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


  2. CathyJi-MSFT 22,396 Reputation points Microsoft External Staff
    2022-03-09T07:05:05.483+00:00

    Hi @A, Indupriya ,

    >Do I need to keep both CU14 along with CU 15 for sql_server_2019_express_x64_ENU.exe ....?

    It depends on your choice. You can apply CU15 to SQL 2019 CU14 directly. Or uninstall CU14, then apply CU15 for SQL 2019. In addition, CU15 include all fixes that included previous CUs.

    > after installing CU15 , will this has fix for the vulnerabilities which CU14 has raised...?

    I can not promise this, but CU15 contain other fixes that are not included in CU14. And MS always suggest customer to apply the latest CU for SQL server.

    > Will this CU15 will resolve the vulnerabilities of SQL2019 ( CVE-2021-1636 ) which got fixed with CU14........?

    Yes, CU15 include all fixes that included previous CUs, that means CU15 contain all fixes in CU14.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.