Microsoft just unveiled a series of updates to SQL Server 2016 and 2017 to fix CVE-2018-8273:
Executing a specially crafted query involving calculating difference between values of different date types and aggregation of the results, could lead to stack corruption, if the query runs in batch mode. Depending on particular values processed by such query, this could lead to terminating the SQL Server process, or a possibility of remote code execution.
Also:
A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could execute code in the context of the SQL Server Database Engine service account…. The security update addresses the vulnerability by modifying how the Microsoft SQL Server Database Engine handles objects in memory.
No word on performance impacts yet.
The updates include:
- 2017 CU9 GDR – 14.0.3035.2 – install this if you’re on the latest 2017, CU9
- 2017 RTM GDR – 14.0.2000.63 – install this if you’re still on RTM
- 2017 on Linux – 14.0.3035.2-1 and 14.0.2002.14 depending on your branch
2016 SP2 CU2 GDR – 13.0.5161.0– install this if you’re on the latest 2016, SP2 CU2– update: un-released due to bug- 2016 SP2 GDR – 13.0.5081.1 – install this if you’re still on SP2
- 2016 SP1 CU10 GDR – 13.0.4522.0 – install this if you’re still on SP1 CU10
- 2016 SP1 GDR – 13.0.4223.10 – install this if you’re still on SP1 with no CUs
9 Comments. Leave new
If we are on 2016 SP2 CU1 we are ok? I dont see a patch for SP2 CU1.
Mike
No, you are not ok from this vulnerability on SQL Server 2016 SP2 CU1. You need 13.0.5161.0 (which will also give you the SP2 CU2 hotfixes).
Have you seen the new trace flags turned on by the 2016 SP2 CU version 5161? It’s on twitter.
If I have sql server 2016 cu 5 does it still apply? thanks
Chris – yes, you need the patches described in the post.
What version should we be on for SQL Server 2017
Jason – go ahead and read the post.
Hi,
I was hoping to address this question directly to Microsoft. However they do not allow any comments on the Cumulative Update Pages. I am currently running SQL Server 2017 with CU 9 and plan to upgrade to CU 10. Do I have to install the GDR update as well to get the security fixes or are they included in CU 10 as well?
Thanks for your help
Martin
Martin – your best bet there would be to post it at a Q&A site like https://dba.stackexchange.com, or open a Microsoft support case.