SQLServerUpdates.com
  • Home – Most Recent Updates
    • SQL Server 2019 Updates
    • SQL Server 2017 Updates
    • SQL Server 2016 Updates
    • SQL Server 2014 Updates
    • SQL Server 2012 Updates
    • SQL Server 2008 R2 Updates
    • SQL Server 2008 Updates
  • Download SQL Server
  • Subscribe to Updates
  • Contact Us
    • Frequently Asked Questions

Announcing SQL Server 2016 and 2017: Patching a Remote Code Execution Vulnerability

5 years ago
Brent Ozar
SQL Server 2016, SQL Server 2017, Updates
9 Comments

Microsoft just unveiled a series of updates to SQL Server 2016 and 2017 to fix CVE-2018-8273:

Executing a specially crafted query involving calculating difference between values of different date types and aggregation of the results, could lead to stack corruption, if the query runs in batch mode. Depending on particular values processed by such query, this could lead to terminating the SQL Server process, or a possibility of remote code execution.

Also:

A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could execute code in the context of the SQL Server Database Engine service account…. The security update addresses the vulnerability by modifying how the Microsoft SQL Server Database Engine handles objects in memory.

No word on performance impacts yet.

The updates include:

  • 2017 CU9 GDR – 14.0.3035.2 – install this if you’re on the latest 2017, CU9
  • 2017 RTM GDR – 14.0.2000.63 – install this if you’re still on RTM
  • 2017 on Linux – 14.0.3035.2-1 and 14.0.2002.14 depending on your branch
  • 2016 SP2 CU2 GDR – 13.0.5161.0 – install this if you’re on the latest 2016, SP2 CU2 – update: un-released due to bug
  • 2016 SP2 GDR – 13.0.5081.1 – install this if you’re still on SP2
  • 2016 SP1 CU10 GDR – 13.0.4522.0 – install this if you’re still on SP1 CU10
  • 2016 SP1 GDR – 13.0.4223.10 – install this if you’re still on SP1 with no CUs
Brent Ozarhttp://sqlserverupdates.com
I make Microsoft SQL Server faster and more reliable. I love teaching, travel, and laughing.
Previous Post
Announcing SQL Server 2017 Cumulative Update 9
Next Post
Announcing SQL 2017 CU11, SQL 2016 SP2 CU3, SP1 CU11

9 Comments. Leave new

  • Michael Orechoff
    August 15, 2018 2:41 pm

    If we are on 2016 SP2 CU1 we are ok? I dont see a patch for SP2 CU1.

    Mike

    Reply
    • Glenn Berry
      August 15, 2018 2:47 pm

      No, you are not ok from this vulnerability on SQL Server 2016 SP2 CU1. You need 13.0.5161.0 (which will also give you the SP2 CU2 hotfixes).

      Reply
  • Chris Wood
    August 16, 2018 5:25 pm

    Have you seen the new trace flags turned on by the 2016 SP2 CU version 5161? It’s on twitter.

    Reply
  • chris tucker
    August 27, 2018 6:02 pm

    If I have sql server 2016 cu 5 does it still apply? thanks

    Reply
    • Brent Ozar
      September 2, 2018 10:45 pm

      Chris – yes, you need the patches described in the post.

      Reply
  • Jason
    August 27, 2018 8:38 pm

    What version should we be on for SQL Server 2017

    Reply
    • Brent Ozar
      September 2, 2018 10:45 pm

      Jason – go ahead and read the post.

      Reply
  • Martin Guth
    August 28, 2018 6:49 am

    Hi,

    I was hoping to address this question directly to Microsoft. However they do not allow any comments on the Cumulative Update Pages. I am currently running SQL Server 2017 with CU 9 and plan to upgrade to CU 10. Do I have to install the GDR update as well to get the security fixes or are they included in CU 10 as well?

    Thanks for your help

    Martin

    Reply
    • Brent Ozar
      September 2, 2018 10:44 pm

      Martin – your best bet there would be to post it at a Q&A site like https://dba.stackexchange.com, or open a Microsoft support case.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Subscribe

Want to get an email when Microsoft publishes a new SP or CU for SQL Server? Subscribe here.

Recent Updates

  • SQL Server 2022 Gets Its 2nd Update in 2 Days February 16, 2023
  • SQL Server 2022 Gets Its First Update! Plus 2019, 2017, 2016, 2014 Updates February 14, 2023
  • Announcing SQL Server 2019 CU15 January 27, 2022
  • Announcing SQL Server 2019 CU13 and SSMS 18.10: Replication Improvements October 5, 2021
  • Announcing 2016 Service Pack 3 and 2017 CU26 September 15, 2021

© 2021 Brent Ozar Unlimited®. All Rights Reserved. Privacy Policy