July 30, 2023 at 9:05 pm
Has there please been any response from Microsoft, or the MVP?
July 31, 2023 at 3:21 pm
No, I'll kick the thread.
July 31, 2023 at 5:08 pm
Not sure that helps. I think debugging why SQL Agent won't start is likely the best case here. I don't quite know what's wrong, but I'd dig into the Agent log and perhaps open an MS call about that.
July 31, 2023 at 9:48 pm
Last update: Instructions in CVE-2023-21704 state that the update can be obtained through the February GDR update.
From MS engineering. I assume for your 2016 server there was a Feb GDR that applies? From our build list (https://www.sqlservercentral.com/articles/sql-server-2016-build-list), I assume this is https://support.microsoft.com/help/5021129
August 1, 2023 at 8:20 am
All of our SQL Server 2016 instances are already on that latest build - Microsoft SQL Server 2016 (SP3-GDR) (KB5021129) - 13.0.6430.49 (X64).
We reviewed the SQL Server Agent error log and Event Viewer application logs at the time, but there was nothing in them to indicate why the SQL Server Agent service would not start up again afterwards with the ODBC driver 13 being unavailable (despite ODBC drivers 17 and 18 being present).
Thank you for the ODBC driver 13.1 link. I have now installed this and it requested that the instance Agent services be shutdown for the installation. I will let the vulnerability scan run overnight, but I may not be able to report back until next week when the InfoSec contact is available to review the scan results. Will update in due course, but I suspect it will not resolve the issue as the vulnerability is apparently with all version 13 drivers.
August 10, 2023 at 11:30 am
We have the exact same problem. SQL Server 2016 agent service requires odbc 13. Uninstalling causes the SQL Server Agent to malfunction because it simply refuses to start. Regardless of which ODBC drivers are or have been installed on the system.
Hopefully Microsoft will soon deliver a hotfix that fixes the vulnerability in ODBC 13.
August 10, 2023 at 4:43 pm
No hotfixes are coming for ODBC13. The guidance is to move to 17 or install the GDR update.
If you still are worried, I'd open a support case and dig into why Agent won't start.
August 14, 2023 at 9:59 am
We already have ODBC drivers 17 and 18 as per the above. But SQL Server 2016 highlights a dependency on ODBC driver 13, which has a high-severity vulnerability identified (see attached), and no available updated driver to upgrade it to. The Microsoft CVE links just tell you to replace ODBC driver 13 with versions 17 or 18, which then stops the SQL Server Agent from working!
This is a massive fail on the part of Microsoft. Presumably every SQL Server 2016 instance across the globe has the same live high-severity vulnerability right now, with no means of being able to resolve it.
Is there anyone from Microsoft who can comment ASAP please?
August 14, 2023 at 10:29 am
Raising a support ticket with MSFT is your best way to get this resolved I'm afraid.
They will need to do some sort of engineering fix to make the agent compatible with a later ODBC driver.
Only way you will get an engineering request is to have an official support ticket open with them.
August 15, 2023 at 2:53 pm
Is there any way to raise this with Microsoft without having to purchase a £199 single incident (Business hours support) support plan?
I don't see why we should be out of pocket just to highlight a bug that Microsoft themselves need to fix to address their own security vulnerability.
Is anyone with an existing support plan please able to raise this on behalf of the wider community?
August 16, 2023 at 9:04 pm
Dealing with the same issue here.
Microsoft mentioned "ODBC and OLE DB driver installations that are part of a supported SQL Server installation will be updated via SQL Server cumulative updates or general distribution release updates." This is the February 14, 2023 CVE-2023-23375 which came up with KB5021129. Despite this update, Qualys scans SQL 2016 servers as RCE vulnerable. If you uninstall Driver 13 then SQL agent won't start.
August 17, 2023 at 1:39 pm
Is there anyone from Microsoft who can please add this to the bug list as a high priority?
August 17, 2023 at 3:13 pm
There isn't anyone from Microsoft that will do this. The $199 is for support, but if this is a bug, they will refund the money. That's been their policy because many people think there are bugs, but they haven't actually done the research or found an issue. They aren't always following the docs.
September 7, 2023 at 7:15 pm
Hello guys. I´m having the same issue and I don´t know how to solve it.
Is there any update or any solution you can share?
I appreciate your help.
Viewing 15 posts - 16 through 30 (of 41 total)
You must be logged in to reply to this topic. Login to reply