Microsoft just unveiled a series of updates to SQL Server 2016 and 2017 to fix CVE-2018-8273:
Executing a specially crafted query involving calculating difference between values of different date types and aggregation of the results, could lead to stack corruption, if the query runs in batch mode. Depending on particular values processed by such query, this could lead to terminating the SQL Server process, or a possibility of remote code execution.
A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could execute code in the context of the SQL Server Database Engine service account…. The security update addresses the vulnerability by modifying how the Microsoft SQL Server Database Engine handles objects in memory.
No word on performance impacts yet.
The updates include:
- 2017 CU9 GDR – 14.0.3035.2 – install this if you’re on the latest 2017, CU9
- 2017 RTM GDR – 14.0.2000.63 – install this if you’re still on RTM
- 2017 on Linux – 14.0.3035.2-1 and 14.0.2002.14 depending on your branch
2016 SP2 CU2 GDR – 13.0.5161.0 – install this if you’re on the latest 2016, SP2 CU2– update: un-released due to bug
- 2016 SP2 GDR – 13.0.5081.1 – install this if you’re still on SP2
- 2016 SP1 CU10 GDR – 13.0.4522.0 – install this if you’re still on SP1 CU10
- 2016 SP1 GDR – 13.0.4223.10 – install this if you’re still on SP1 with no CUs