Security scan on SQLServer2019-KB5007182-x64.exe Cumulative patch on sql_server_2019_express_x64_ENU.exe identified vulnerable libraries

Question

Security scan on SQLServer2019-KB5007182-x64.exe Cumulative patch on sql_server_2019_express_x64_ENU.exe identified vulnerable libraries

A, Indupriya 1

In My project , By downloading and installing the recent cumulative update for SQL 2019 - KB5007182 (https://www.microsoft.com/en-us/download/details.aspx?id=100809) , vulnerability CVE-2021-1636 got fixed . But this patch is causing following vulnerabilities with respect to libraries like

json-smart : CVE-2021-27568 , CVE-2021-31684

library kryo version : BDSA-2016-1151

library Apache Thrift version : BDSA-2021-0373 , CVE-2015-3254 , CVE-2016-5397 , CVE-2018-1320 , CVE-2019-0205

library Apache Hadoop version : CVE-2020-9492

library zlib version : BDSA-2016-1107,BDSA-2016-1108,BDSA-2016-1109,BDSA-2016-1110

library Cyrus SASL version : BDSA-2022-0532 , CVE-2013-4122 , CVE-2019-19906

library curl version : BDSA-2020-1933,BDSA-2020-3058,BDSA-2021-0018,BDSA-2021-0021,BDSA-2021-0022,BDSA-2022-0504,CVE-2020-8169,CVE-2020-8177,CVE-2020-8231,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286,CVE-2021-22876,CVE-2021-22890,CVE-2021-22897,CVE-2021-22898,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925,CVE-2021-22926,CVE-2021-22946,CVE-2021-22947

library ODataLib for OData version : CVE-2018-8269

library Data Mapper for Jackson version : CVE-2019-10172

library JamesNK/Newtonsoft.Json version : BDSA-2018-5195

library System.Net.Security version : CVE-2017-0247,CVE-2017-0248,CVE-2017-0249,CVE-2017-0256.

ICU for C/C++ (ICU4C) version: CVE-2020-21913

Can you please provide any information on this..........?

CathyJi-MSFT 22,396 Reputation points Microsoft External Staff

2022-03-08T07:40:13.647+00:00

Hi @A, Indupriya ,

Sorry for reply late.

Did you mean that you have many vulnerabilities after you applied the latest CU15 for SQL 2019? Did you run a new security scan for your server? Any difference?
A, Indupriya 1 Reputation point

2022-03-08T08:45:41.143+00:00

Yes these are the vulnerabilities has been found during scanning from our server after applying patch
CathyJi-MSFT 22,396 Reputation points Microsoft External Staff

2022-03-08T08:52:11.04+00:00

Did you try to uninstall the CU15? Did the vulnerabilities are existed after uninstalling CU15 for SQL 2019? Which version of your SQL server before applying CU15?
A, Indupriya 1 Reputation point

2022-03-08T09:01:20.153+00:00

yes,this vulnerabilities are coming up after installing it itself from this component. Earlier we had only SQLServerExpressInstaller - sql_server_2019_express_x64_ENU.exe . for this we had got vulnerability CVE-2021-1636.

Then to fix vulnerability,we had installed SQLServer2019-KB5007182-x64.exe along with SQLServerExpressInstaller - sql_server_2019_express_x64_ENU.exe . So currently we have both in our directory
CathyJi-MSFT 22,396 Reputation points Microsoft External Staff

2022-03-08T09:22:28.437+00:00

Did you mean that you have SQL 2019 Express RTM, you have one vulnerability after you applied CU14 for SQL 2019? To fix this vulnerability, you applied CU15 for SQL 2019, but you got many vulnerabilities.
A, Indupriya 1 Reputation point

2022-03-08T13:02:17.47+00:00

No i have not applied any patch for CU14. The above are the vulnerabilities are coming from CU14 which i have for SQL 2019

2 answers

Your answer

CathyJi-MSFT 22,396 Reputation points Microsoft External Staff

2022-03-08T07:40:13.647+00:00

Hi @A, Indupriya ,

Sorry for reply late.

Did you mean that you have many vulnerabilities after you applied the latest CU15 for SQL 2019? Did you run a new security scan for your server? Any difference?
A, Indupriya 1 Reputation point

2022-03-08T08:45:41.143+00:00

Yes these are the vulnerabilities has been found during scanning from our server after applying patch
CathyJi-MSFT 22,396 Reputation points Microsoft External Staff

2022-03-08T08:52:11.04+00:00

Did you try to uninstall the CU15? Did the vulnerabilities are existed after uninstalling CU15 for SQL 2019? Which version of your SQL server before applying CU15?
A, Indupriya 1 Reputation point

2022-03-08T09:01:20.153+00:00

yes,this vulnerabilities are coming up after installing it itself from this component. Earlier we had only SQLServerExpressInstaller - sql_server_2019_express_x64_ENU.exe . for this we had got vulnerability CVE-2021-1636.

Then to fix vulnerability,we had installed SQLServer2019-KB5007182-x64.exe along with SQLServerExpressInstaller - sql_server_2019_express_x64_ENU.exe . So currently we have both in our directory
CathyJi-MSFT 22,396 Reputation points Microsoft External Staff

2022-03-08T09:22:28.437+00:00

Did you mean that you have SQL 2019 Express RTM, you have one vulnerability after you applied CU14 for SQL 2019? To fix this vulnerability, you applied CU15 for SQL 2019, but you got many vulnerabilities.
A, Indupriya 1 Reputation point

2022-03-08T13:02:17.47+00:00

No i have not applied any patch for CU14. The above are the vulnerabilities are coming from CU14 which i have for SQL 2019

Answer 1

CathyJi-MSFT 22,396 Microsoft External Staff

Hi @A, Indupriya ,

>No i have not applied any patch for CU14. The above are the vulnerabilities are coming from CU14 which i have for SQL 2019

If so, the latest CU for SQL 2019 is CU15, please apply CU15 for SQL 2019. You can get CU15 from below link.

Cumulative Update Package 15 for SQL Server 2019 - KB5008996

Please follow below steps;
1.Download CU15 from above link.
2.Install CU15 package as administrator.

If it still not work, please feel free to let me know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

A, Indupriya 1 Reputation point

2022-03-09T06:38:07.047+00:00
Sure ,but before that can you provide me the information for the following.

Do I need to keep both CU14 along with CU 15 for sql_server_2019_express_x64_ENU.exe ....?

after installing CU15 , will this has fix for the vulnerabilities which CU14 has raised...?

Will this CU15 will resolve the vulnerabilities of SQL2019 ( CVE-2021-1636 ) which got fixed with CU14........?

Answer 2

Hi @A, Indupriya ,

>Do I need to keep both CU14 along with CU 15 for sql_server_2019_express_x64_ENU.exe ....?

It depends on your choice. You can apply CU15 to SQL 2019 CU14 directly. Or uninstall CU14, then apply CU15 for SQL 2019. In addition, CU15 include all fixes that included previous CUs.

> after installing CU15 , will this has fix for the vulnerabilities which CU14 has raised...?

I can not promise this, but CU15 contain other fixes that are not included in CU14. And MS always suggest customer to apply the latest CU for SQL server.

> Will this CU15 will resolve the vulnerabilities of SQL2019 ( CVE-2021-1636 ) which got fixed with CU14........?

Yes, CU15 include all fixes that included previous CUs, that means CU15 contain all fixes in CU14.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

CathyJi-MSFT 22,396 Reputation points Microsoft External Staff

2022-03-11T07:55:39.363+00:00

Hi @A, Indupriya ,

Any update for this thread? Did the reply could help you? If the response helped, do "Accept Answer". If it is not, please let us know.

Share via

Security scan on SQLServer2019-KB5007182-x64.exe Cumulative patch on sql_server_2019_express_x64_ENU.exe identified vulnerable libraries

2 answers

Your answer