Post reply

SSRS Zero-Day patching?

  • October 15, 2021 at 9:11 pm

    #3941029

    Hello all,

    I've been tasked (rather randomly) with finding out if there is somewhere we can specifically find any Microsoft zero-day patches that would need to be applied to SSRS servers.  Mind you, I don't handle patching of any kind for our servers, so I'm at a bit of a loss as to where I should go.

     

  • October 15, 2021 at 9:17 pm

    #3941030

    SSRS patching has changed since 2017 and it being a separate installer.

    The below is the official doc on when fixes are released etc

    https://docs.microsoft.com/en-us/sql/reporting-services/release-notes-reporting-services?view=sql-server-ver15#sql-server-2019-reporting-services

    However there is no separate exe for the patch like SQL, you download the full SSRS installer again and install over the top.

  • October 15, 2021 at 9:28 pm

    #3941031

    Thanks, Ant-Green!

    Would this link specifically address zero-day patching or is it just the usual monthly/regular patching here?  And we have SQL 2016, which isn't included in this specific link (2017 and later).  (I tried the left menu which shows SQL 2016 but doesn't actually navigate to anything other than 2019 - weird.)

    I found this other link with similar data for 2016 but I'm guessing it's not the same thing (patching); since it changed with 2017.

    https://docs.microsoft.com/en-us/sql/sql-server/sql-server-2016-release-notes?view=sql-server-2016

    It sounds like I'm supposed to be focusing on the zero-day patching, covering patches needing to be applied immediately to fix security issues with SSRS specifically.  Not even sure if that exists, or if it's something that's already covered with some overarching zero-day patching....??

    (Sorry again for my cluelessness, a bit out of my element here).

     

  • October 15, 2021 at 9:52 pm

    #3941036

    Zero day exploits you referring to?

    For that I would look at ZeroDayLab / CyberClan etc to see what’s been reported.

    Never seen Microsoft acknowledge a CVE until after they have issued the fix so people don’t take advantage of it.

    2016 is different, SSRS was still part of the full product then, so all the patch information is part of the usual KB articles.

    Since it split to be a separate thing in 2017 that’s where the new doc came out.

  • October 15, 2021 at 10:25 pm

    #3941041

    You are a veritable font of information, sir.  Thank you.

    I actually feel much more educated on the subject now; I might actually be able to pose an intelligent response on this point.

    Thanks again, much appreciated.

  • October 19, 2021 at 6:23 pm

    #3942099

    I don't know who maintains this list, but it is always up to date.

     

    https://sqlserverbuilds.blogspot.com/

    Michael L John
    If you assassinate a DBA, would you pull a trigger?
    To properly post on a forum:
    http://www.sqlservercentral.com/articles/61537/

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply