Update: Hotfixes released for ODBC and OLE DB drivers for SQL Server

1

We use Qualys and we have all of our Windows 10 machines reporting that this is relevant for all of our machines. Does Bigfix plan on releasing fixlets for this?

Thanks,
Scott

From Qualys:
Microsoft SQL Server, ODBC and OLE DB Driver for SQL Server Remote Code Execution (RCE) Vulnerabilities for June 2023

HKLM\SOFTWARE\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion Version = 17.5.2.1 HKLM\SOFTWARE\Microsoft\Microsoft OLE DB Driver for SQL Server\CurrentVersion Version = 18.3.0.0 HKLM\SOFTWARE\WOW6432Node\Microsoft\Microsoft ODBC Driver 17 for SQL Server\CurrentVersion Version = 17.5.2.1 HKLM\SOFTWARE\WOW6432Node\Microsoft\Microsoft OLE DB Driver for SQL Server\CurrentVersion Version = 18.3.0.0

Customers are advised to refer to CVE-2023-32027, CVE-2023-32025, CVE-2023-32026, CVE-2023-29356, CVE-2023-32028, and CVE-2023-29349 for more information regarding the vulnerabilities and their patches.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
CVE-2023-32027
CVE-2023-32025
CVE-2023-29349
CVE-2023-29356
CVE-2023-32028
CVE-2023-32026

2

Just to acknowledge the message, checking internally and will let you know what I find.

3

Thanks Jason appreciate it!

Scott

4

I’m afraid the news is not great. Traditionally our Patch team has not handled ODBC/OLEDB hotfixes and I don’t anticipate publishing these any time soon.

1 Like
5

Thanks for looking into this Jason… I went ahead and just made them myself.

Thanks,
Scott

6

Sorry I don’t mean to hijack this thread with a somewhat related question.

Not familiar with installing ODBC drivers, but is it just a matter of running the installer on both my root server and on my 2016 SQL server?

Any reconfiguration that needs to be done to the 32/64 bit ODBC configuration on the root server?]

Thanks.

7

The fixes aren’t specific to BigFix, they’re for any product using ODBC configurations, so these are likely applicable on other systems besides the root servers.
For BigFix, there’s no ODBC configuration changes required aside from installing the updates.