KLA50361 Multiple vulnerabilities in Microsoft SQL Server

Multiple vulnerabilities were found in Microsoft SQL Server. Malicious users can exploit these vulnerabilities to execute arbitrary code.

Below is a complete list of vulnerabilities:

1. A remote code execution vulnerability in Microsoft ODBC Driver for SQL Server can be exploited remotely to execute arbitrary code.
2. A remote code execution vulnerability in Microsoft OLE DB can be exploited remotely to execute arbitrary code.
3. A remote code execution vulnerability in Microsoft ODBC and OLE DB can be exploited remotely to execute arbitrary code.

Original advisories

CVE-2023-32027

CVE-2023-32025

CVE-2023-29356

CVE-2023-32028

CVE-2023-32026

CVE-2023-29349

Related products

Microsoft-SQL-Server

Microsoft-Windows

CVE list

CVE-2023-32027 critical

CVE-2023-32025 critical

CVE-2023-29356 critical

CVE-2023-32028 critical

CVE-2023-32026 critical

CVE-2023-29349 critical

KB list

Solution

Update to the latest versionMicrosoft OLE DB Driver 19 for SQL ServerMicrosoft ODBC Driver 17 for SQL Server on WindowsMicrosoft ODBC Driver 18 for SQL Server on Windows

Microsoft OLE DB Driver 18 for SQL Server

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

Affected Products

• Microsoft ODBC Driver 18 for SQL Server on LinuxMicrosoft OLE DB Driver 19 for SQL ServerMicrosoft ODBC Driver 17 for SQL Server on MacOSMicrosoft ODBC Driver 18 for SQL Server on MacOSMicrosoft ODBC Driver 18 for SQL Server on WindowsMicrosoft SQL Server 2019 for x64-based Systems (CU 21)Microsoft OLE DB Driver 18 for SQL ServerMicrosoft ODBC Driver 17 for SQL Server on WindowsMicrosoft SQL Server 2022 for x64-based Systems (CU 5)Microsoft ODBC Driver 17 for SQL Server on Linux