Vulnerability for ODBC driver 13

  • ODBC driver 13 has been highlighted as having a vulnerability, and we have been advised to upgrade this to the latest version on our database server running SQL Server 2016 (SP3-GDR).

    There is apparently no recent version available for version 13. We already have ODBC driver 17.10.4.1 and ODBC driver 18.2.2.1 installed, so we duly uninstalled ODBC driver 13.3.6430.49 from the server.

    A "Microsoft ODBC driver 13 for SQL Server" warning popped up highlighting that the SQL Server Agent service was dependent on this driver version. And as expected, after uninstalling ODBC driver 13, the SQL Server Agent service refused to start.

    We have only been able to obtain ODBC driver 13.0.811.168 from the Microsoft website, so now our driver is even more out of date! On a different server running the same build of SQL Server 2016, it lists ODBC Driver 13 as being version 14.0.1000.169, and this has not been flagged as a vulnerable version, but we cannot find anywhere to download this version from!

    So the question is, how do we resolve this vulnerability without breaking the SQL Server Agent service? Why is the SQL Server Agent service on our machine still dependent on ODBC driver 13 when drivers 17 and 18 are available? Where can we obtain ODBC Driver 13 build 14.0.1000.169 from?

    • This topic was modified 1 year, 4 months ago by  zoggling.
    Attachments:
    You must be logged in to view attached files.
  • ODBC driver versions up to 18.2 are listed as compatible w/ SQL Server 2016. Can you move to a newer ODBC driver?

    I assume you were referring to using ODBC in a SQL Server Agent job? Could your prior issues w/ SQL Server Agent have been related to using 32 bit driver w/ 64 bit server?

  • Thank you for your reply.

    As per the above and attached, we already have ODBC driver 17.10.4.1 and ODBC driver 18.2.2.1 installed. We don't understand the dependency that the SQL Server Agent service has on the ODBC driver 13.

    If we uninstall it, we cannot start the SQL Server Agent service!

    We are not referring to the use of ODBC in a job.

    We have installed the 64-bit driver for ODBC driver 18.2.2.1.

  • Try checking the ODBC data sources with odbcad32.exe. The 64bit one will be system32 and the 32bit one will be in syswow64.

    The ODBC data sources might be referenced by the agent.

  • Thank you. The User and System Data Source tabs are empty, in both the 32-bit and 64-bit ODBC Data Source Administrators. Should they be?

    Attachments:
    You must be logged in to view attached files.
  • The redistributable installer for Microsoft ODBC Driver 18 for SQL Server installs the client components, which are required during run time to take advantage of newer SQL Server features (SSIS, R objects, etc).

    This could be the reason the SQL server agent service is not starting if  SSIS, R objects, and others components were installed, and the ODBC driver was removed.   You may consider running a repair on the SQL server installation.

    DBASupport

  • If you can image this machine, I'd try the repair there first.

  • We have tried the repair option, and all it did was to re-install the ODBC version 13 driver!

    After uninstalling the ODBC version 13 driver again, the SQL Server Agent service again refused to start up, despite the ODBC version 17 and 18 drivers being available.

    These are the reasons why it apparently needs to be removed:

    CVE-2023-28304

    CVE-2023-23375

    Any ideas on how we can remove the driver and be compliant without breaking SQL Server? We are experiencing the same issue across multiple servers hosting SQL Server 2016 instances.

    • This reply was modified 1 year, 4 months ago by  zoggling.
    Attachments:
    You must be logged in to view attached files.
  • So I downloaded from here: https://www.microsoft.com/EN-US/DOWNLOAD/confirmation.aspx?id=50420

    That didn't install as it says it's not newer than my current version, which is 2017.10.xx something. I think I got this from installing SQL Server 2017.

    Is it possible to replace the dll from a newer machine?

  • I would really ignore that - it is one of those vulnerabilities that require a USER to open a supplied third party file (specially crafted to abuse the vulnerability) on the server.

    AND... quote from the CVE

    We recommend that customers who are running ODBC versions 11 and 13 as part of an application outside of a SQL Server installation update to ODBC versions 17 or above or OLE DB versions 18 or above, which provide protection against this vulnerability. ODBC and OLE DB driver installations that are part of a supported SQL Server installation will be updated via SQL Server cumulative updates or general distribution release updates.

  • This vulnerability is categorised as "Important" by Microsoft. Surely this needs to be addressed as a priority?

    What installer would have created these ODBC DLLs? We have a few severs where the SQL Server 2016 builds are exactly the same (13.0.6430.49), but on some of the servers the ODBC version 13 drivers are 13.0.811.168 (i.e. vulnerable) and on others they are 14.0.1000.169 (i.e. not vulnerable). So we feel less confident that a future CU will address this.

    We have not installed SQL Server 2017 anywhere, and would rather not have to just for the ODBC driver if we can avoid it!

    Is there anywhere we can download version 14.0.1000.169 of the "Microsoft ODBC Driver 13 for SQL Server"? The latest version on the Microsoft website is out of date!

    • This reply was modified 1 year, 4 months ago by  zoggling.
  • I sent a note to MS on the MVP list to see if anyone has a link.

  • That's very helpful, thank you

  • From another MVP, they want you to verify with the DLL that it's version 14.xx

    Their advice is upgrade SQL Server if this vulnerability is an issue. I haven't heard from MS proper yet.

  • Please see re-attached image showing 14.xx.

    What version would they recommend upgrading SQL Server to? We're on the latest build for SQL Server 2016, which is still in support until 2026.

    • This reply was modified 1 year, 4 months ago by  zoggling.
    Attachments:
    You must be logged in to view attached files.

Viewing 15 posts - 1 through 15 (of 41 total)

You must be logged in to reply to this topic. Login to reply