ODBC driver 13 has been highlighted as having a vulnerability, and we have been advised to upgrade this to the latest version on our database server running SQL Server 2016 (SP3-GDR).
There is apparently no recent version available for version 13. We already have ODBC driver 17.10.4.1 and ODBC driver 18.2.2.1 installed, so we duly uninstalled ODBC driver 13.3.6430.49 from the server.
A "Microsoft ODBC driver 13 for SQL Server" warning popped up highlighting that the SQL Server Agent service was dependent on this driver version. And as expected, after uninstalling ODBC driver 13, the SQL Server Agent service refused to start.
We have only been able to obtain ODBC driver 13.0.811.168 from the Microsoft website, so now our driver is even more out of date! On a different server running the same build of SQL Server 2016, it lists ODBC Driver 13 as being version 14.0.1000.169, and this has not been flagged as a vulnerable version, but we cannot find anywhere to download this version from!
So the question is, how do we resolve this vulnerability without breaking the SQL Server Agent service? Why is the SQL Server Agent service on our machine still dependent on ODBC driver 13 when drivers 17 and 18 are available? Where can we obtain ODBC Driver 13 build 14.0.1000.169 from?
July 11, 2023 at 1:52 pm
ODBC driver versions up to 18.2 are listed as compatible w/ SQL Server 2016. Can you move to a newer ODBC driver?
I assume you were referring to using ODBC in a SQL Server Agent job? Could your prior issues w/ SQL Server Agent have been related to using 32 bit driver w/ 64 bit server?
July 11, 2023 at 2:14 pm
Thank you for your reply.
As per the above and attached, we already have ODBC driver 17.10.4.1 and ODBC driver 18.2.2.1 installed. We don't understand the dependency that the SQL Server Agent service has on the ODBC driver 13.
If we uninstall it, we cannot start the SQL Server Agent service!
We are not referring to the use of ODBC in a job.
We have installed the 64-bit driver for ODBC driver 18.2.2.1.
July 11, 2023 at 6:32 pm
Try checking the ODBC data sources with odbcad32.exe. The 64bit one will be system32 and the 32bit one will be in syswow64.
The ODBC data sources might be referenced by the agent.
July 13, 2023 at 9:09 am
The redistributable installer for Microsoft ODBC Driver 18 for SQL Server installs the client components, which are required during run time to take advantage of newer SQL Server features (SSIS, R objects, etc).
This could be the reason the SQL server agent service is not starting if SSIS, R objects, and others components were installed, and the ODBC driver was removed. You may consider running a repair on the SQL server installation.
DBASupport
July 13, 2023 at 5:43 pm
If you can image this machine, I'd try the repair there first.
July 17, 2023 at 9:51 am
We have tried the repair option, and all it did was to re-install the ODBC version 13 driver!
After uninstalling the ODBC version 13 driver again, the SQL Server Agent service again refused to start up, despite the ODBC version 17 and 18 drivers being available.
These are the reasons why it apparently needs to be removed:
Any ideas on how we can remove the driver and be compliant without breaking SQL Server? We are experiencing the same issue across multiple servers hosting SQL Server 2016 instances.
July 17, 2023 at 1:52 pm
So I downloaded from here: https://www.microsoft.com/EN-US/DOWNLOAD/confirmation.aspx?id=50420
That didn't install as it says it's not newer than my current version, which is 2017.10.xx something. I think I got this from installing SQL Server 2017.
Is it possible to replace the dll from a newer machine?
July 17, 2023 at 2:22 pm
I would really ignore that - it is one of those vulnerabilities that require a USER to open a supplied third party file (specially crafted to abuse the vulnerability) on the server.
AND... quote from the CVE
We recommend that customers who are running ODBC versions 11 and 13 as part of an application outside of a SQL Server installation update to ODBC versions 17 or above or OLE DB versions 18 or above, which provide protection against this vulnerability. ODBC and OLE DB driver installations that are part of a supported SQL Server installation will be updated via SQL Server cumulative updates or general distribution release updates.
July 18, 2023 at 3:10 pm
This vulnerability is categorised as "Important" by Microsoft. Surely this needs to be addressed as a priority?
What installer would have created these ODBC DLLs? We have a few severs where the SQL Server 2016 builds are exactly the same (13.0.6430.49), but on some of the servers the ODBC version 13 drivers are 13.0.811.168 (i.e. vulnerable) and on others they are 14.0.1000.169 (i.e. not vulnerable). So we feel less confident that a future CU will address this.
We have not installed SQL Server 2017 anywhere, and would rather not have to just for the ODBC driver if we can avoid it!
Is there anywhere we can download version 14.0.1000.169 of the "Microsoft ODBC Driver 13 for SQL Server"? The latest version on the Microsoft website is out of date!
July 19, 2023 at 6:28 pm
I sent a note to MS on the MVP list to see if anyone has a link.
July 20, 2023 at 7:23 am
That's very helpful, thank you
July 20, 2023 at 3:12 pm
From another MVP, they want you to verify with the DLL that it's version 14.xx
Their advice is upgrade SQL Server if this vulnerability is an issue. I haven't heard from MS proper yet.
July 21, 2023 at 9:37 am
Please see re-attached image showing 14.xx.
What version would they recommend upgrading SQL Server to? We're on the latest build for SQL Server 2016, which is still in support until 2026.
Viewing 15 posts - 1 through 15 (of 41 total)
You must be logged in to reply to this topic. Login to reply