Microsoft announced updates today for all supported versions of SQL Server, for a privilege escalation vulnerability that leverages Extended Events. For security reasons no further details have been provided, but you can expect more information in the near future, now that this update is public.
From the knowledge base article:
Data can be sent over a network to an affected Microsoft SQL Server instance that may cause code to run against the SQL Server process if a certain extended event is enabled. See CVE-2021-1636 for detailed information.
Please update your SQL Server instances as soon as possible. Note that today is Patch Tuesday, so you can expect other updates for Microsoft Windows as well as part of a regular monthly update.
EDITED TO ADD: Yes, this affects the Linux and Docker versions as well.
Photo credit: John Salvino.
This is an interesting problem as it might go back all the way to SQL 2008, when Extended Events were first added. I suggest this because they issued fixes for all the currently supported versions of SQL(2012 thru 2019). The bulletin doesn’t show any acknowledgment so I am thinking it was found internally.
Eventually somebody will discover what causes this and we will have more information about the issue.
hi, what about if you have installed CU10 to your SQL 2019 instance. How do you install this security update? is not part of CU10.
The security update is included in newer cumulative updates.
Comments are closed.