Microsoft SQL Server Remote Code Execution Vulnerability

techresearch7777777 1,921 Reputation points
2022-06-21T20:03:57.987+00:00

Hello, I recently noticed Microsoft mentioning SQL Server security vulnerability as this link mentions:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29143

Am a bit confused on how to apply/fix.

Should I apply the latest SQL Server Service Packs and Cumulative Updates first and then download and apply that link's vulnerability patches or something different?

Thanks in advance.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,479 questions
0 comments No comments
{count} votes

Accepted answer
  1. CathyJi-MSFT 22,346 Reputation points Microsoft Vendor
    2022-06-23T09:39:39.43+00:00

    Hi @techresearch7777777 ,

    Please check the patches that you need to apply to your six SQL server instances.

    Microsoft SQL Server 2014 (SP3-CU4-GDR) (KB4583462) - 12.0.6433.1 (X64) Oct 31 2020 02:54:45 Copyright (c) Microsoft Corporation Enterprise Edition: Core-based Licensing (64-bit) on Windows NT 6.3 <X64> (Build 9600: ) (Hypervisor)---------------------------Apply 5014164 Security update for SQL Server 2014 SP3 CU4: June 14, 2022 to this SQL instance.

    Microsoft SQL Server 2016 (SP2-GDR) (KB4583460) - 13.0.5103.6 (X64) Nov 1 2020 00:13:28 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows Server 2012 R2 Standard 6.3 <X64> (Build 9600: ) (Hypervisor)---------------------------- Apply 5014365 Security update for SQL Server 2016 SP2 GDR: June 14, 2022 to this SQL server instance.

    Microsoft SQL Server 2016 (SP2-GDR) (KB4583460) - 13.0.5108.50 (X64) May 20 2022 20:28:29 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows Server 2016 Standard 10.0 <X64> (Build 14393: ) (Hypervisor)------------------This the latest GDR for SQL server 2016 SP2. If you do not want to apply SP3 for this SQL server instance, you do not need to apply patch for this instance.

    Microsoft SQL Server 2016 (SP3) (KB5003279) - 13.0.6300.2 (X64) Aug 7 2021 01:20:37 Copyright (c) Microsoft Corporation Developer Edition (64-bit) on Windows Server 2012 R2 Standard 6.3 <X64> (Build 9600: ) (Hypervisor)---------------------Apply 5014355 Security update for SQL Server 2016 SP3 GDR: June 14, 2022 to this SQL server instance.

    Microsoft SQL Server 2016 (SP3-GDR) (KB5014355) - 13.0.6419.1 (X64) May 29 2022 21:05:29 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows Server 2016 Standard 10.0 <X64> (Build 14393: ) (Hypervisor) )------------------This the latest GDR for SQL server 2016 SP3.

    Microsoft SQL Server 2019 (RTM-CU16-GDR) (KB5014353) - 15.0.4236.7 (X64) May 29 2022 15:55:47 Copyright (C) 2019 Microsoft Corporation Standard Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)--------------This is the latest version for SQL server 2019.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    1 person found this answer helpful.
    0 comments No comments

7 additional answers

Sort by: Most helpful
  1. techresearch7777777 1,921 Reputation points
    2022-06-21T20:33:44.207+00:00

    Also that link mentions:

    "An authenticated attacker could exploit the vulnerability by executing a specially crafted query using $ partition against a table with a Column Store index."

    Is it correct to say that the attacker must have an existing enabled-active SQL Server credentials (SQL Login or Windows Logon account) logging into SQL Server being Authenticated and then run the specially crafted query.

    Basically if they can't log in/connect into SQL Server level the attacker would not be able to do this?


  2. Tom Phillips 17,741 Reputation points
    2022-06-21T20:57:43.75+00:00

    All SQL Server patches are "cumulative". A version number greater than the version listed already has all previous versions included. You only need to ever install the greatest version number for your Service Pack.

    What are the GDR and CU update designations and how do they differ?

    The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.

    GDR updates – cumulatively only contain security updates for the given baseline.
    CU updates – cumulatively contain all functional fixes and security updates for the given baseline.
    For any given baseline, either the GDR or CU updates could be options (see below).

    If SQL Server installation is at a baseline version, you can choose either the GDR or CU update.
    If SQL Server installation has intentionally only installed past GDR updates, then choose to install the GDR update package.
    If SQL Server installation has intentionally installed previous CU updates, then choose to install the CU security update package.
    Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path.

    0 comments No comments

  3. Erland Sommarskog 116.9K Reputation points MVP
    2022-06-21T21:46:47.597+00:00

    If I get this right, let's work from SQL 2014 SP3 as an example.

    If you are at SQL 2014 SP3 without any CU, there is a GDR you can apply. (Most likely you already have an earlier GDR already.)

    If you are at SQL 20014 SP3 CU4 (which was the last CU for SQL 2014), there is a GDR you an apply.

    But would you be on SQL 2014 SP3 CU2, you first need to apply CU4 before you can apply the GDR.

    And should you, God forbid, be on SQL 2014 SP2, you first need to apply SP3, since SQL 2014 SP2 is out of all support since long.

    The corresponding applies to other SQL versions.

    As for the security issue itself, it sounds to me that the attacker would already need to have access to the instance, yes. But not that the attacker could come in through an SQL-injection hole.

    0 comments No comments

  4. CathyJi-MSFT 22,346 Reputation points Microsoft Vendor
    2022-06-22T02:35:08.787+00:00

    Hi @techresearch7777777 ,

    >Should I apply the latest SQL Server Service Packs and Cumulative Updates first and then download and apply that link's vulnerability patches or something different?

    Suggest you using select @@version to check your SQL server version and built number. Then you can refer to below tables to apply this patch. And please note the tips that others mentioned.

    Quote from the MS blog that you offered.

    There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?

    •First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components.
    •Second, in the table below, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install.

    Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates.
    213661-screenshot-2022-06-22-102848.jpg

    If you still have some confuse, please share us the result of select @@version , then we can give you the guidance.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.