In today’s KB 4583468 and CVE 2021 1636, Microsoft is fixing vulnerabilities in Extended Events that “may cause code to run against the SQL Server process if a certain extended event is enabled.” I, for one, throw 100% of the blame on Team Profiler, who surely hacked SQL Server in an effort to discredit Team XE.
Tons of patching to do here:
- SQL Server 2019 CU8 GDR
- SQL Server 2017 CU22 GDR
- SQL Server 2016 SP2 CU15 GDR
- SQL Server 2014 SP3 CU4 GDR
And there are GDRs for other patch levels too, like if you’re on 2016 but not on SP2 yet.
Update: it’s distributed via Windows Update, too.