Vulnerability for ODBC driver 13

  •  

    The following comment from https://techcommunity.microsoft.com/t5/sql-server-blog/update-hotfixes-released-for-odbc-and-ole-db-drivers-for-sql/ba-p/3848484 might help.

    DavidEngelMS

    Microsoft

    ‎Aug 10 2023 04:58 PM

    @james Auman

     

    This answer has some subtleties, so bear with me.

    ...

    There is an additional scenario I'd like to describe for SQL Server installs. 13.x and 14.x are all valid file versions for "ODBC Driver 13 for SQL Server". "ODBC Driver 13 for SQL Server" was shipped with both SQL Server 2016 and SQL Server 2017. Within SQL Server 2016, "ODBC Driver 13 for SQL Server" is versioned 13.x. Within SQL Server 2017, "ODBC Driver 13 for SQL Server" is versioned 14.x. When updates are made to either of SQL Server 2016 or SQL Server 2017, you will get a newer 13.x or a newer 14.x. Both of which can be considered the "latest version" within their line. However, only one of them can be installed on a system at a time, unlike the other MS ODBC driver major versions. And a version 14.x ODBC driver will upgrade and replace a version 13.x ODBC driver. Given versioning semantics, I would assume any version 14.x driver will upgrade/replace even a newer 13.x driver. If a 14.x ODBC driver ever replaced a 13.x ODBC driver on a SQL Server 2016 system (tools like SSMS also install a version of the ODBC driver), it would functionally work fine, but a subsequent SQL Server 2016 update would not (I assume) patch the 14.x ODBC driver since the 14.x driver would be a newer version. Solutions for this scenario would be to manually update the 14.x ODBC driver or uninstall the 14.x driver and install the 13.x driver so that future SQL Server 2016 updates will patch it.

     

  • post to get over display bug

  • @ken McKelvey - this has not solved the issue for us unfortunately.

    We already had ODBC 17.10.4.1 installed, and upgraded from ODBC 18.2.2.1 to ODBC 18.3.1.1 as suggested in the article.

    But as soon as we uninstalled the vulnerable ODBC 13.1.4414.46 driver, hey presto, the SQL Server Agent services could no longer be restarted. We had to re-install the version 13 driver again.

    This issue is still very much at large, over 5 months after Microsoft themselves told us all to uninstall ODBC driver 13.

    Do you know how we can get hold of a ODBC 14.x driver installer?

    • This reply was modified 1 year, 3 months ago by  zoggling.
    • This reply was modified 1 year, 3 months ago by  zoggling.
  • Hi, I was following the thread and opened a couple of cases with Microsoft on this issue.  In the end Microsoft said they patched this vulnerability for SQL 2016 in the February SQL release.  The June update was only for ODBC driver versions that were installed separately from the SQL install and used for application support.

    The V13 driver versions 13.0.6430.49/13.3.6430.49 that are installed when you install the update KB5021129 or later contain the fix.  For example when we installed KB5021128, KB5021129 then our Microsoft ODBC Driver 13 for SQL Server version is 13.3.6430.49.    Our security teams have had Tripwire Update their definitions to not flag these V13 ODBC driver updated versions as vulnerable.

    Case Summary Response from Microsoft: They have discussed with the engineering teams and confirmed that the April vulnerabilities were reported/fixed in the SQL Server GDR published in Feb 2023 (CVE-2023-21718).  The driver engineering team is working to request updates for the CVE-2023-23375 and CVE-2023-28304 to clarify and point customers to the Feb '23 GDR builds.

    • This reply was modified 1 year, 3 months ago by  Omegan. Reason: Incorrect KB specified
  • At the start of this ticket, we were on ODBC driver 13.3.6430.49 and had had all the latest cumulative updates installed in sequence.

    The Microsoft "Security Vulnerability" pages themselves state that "We recommend that customers who are running ODBC versions 11 and 13 as part of an application outside of a SQL Server installation update to ODBC versions 17 or above or OLE DB versions 18 or above, which provide protection against this vulnerability."

    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28304

    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23375

    Our Armor vulnerability scanner continues to highlight this as a high priority vulnerability, and is only satisfied when ODBC driver 13 is uninstalled. But then the SQL Server Agent service refuses to start, and so we have to re-install it again.

    We can contact Armor to see if they are happy to also update their definitions to not flag these V13 ODBC driver updated versions as vulnerable. But why are Microsoft themselves still raising this as a "Max Severity: Important" vulnerability to address?

  • I would build a sand box and try all these suggestions to see what works and what does not. ( trying older/newer DLLs, etc)

     

    DBASupport

  • I have already tried all of the above against one of our DEV servers (including multiple versions of ODBC DLLs).

    There is currently no solution, and no word from Microsoft on when this will be resolved.

    • This reply was modified 1 year, 2 months ago by  zoggling.
  • Consider the latest version of sql server to upgrade to. Depending on your acceptance cycle it will have matured out at the end.

    Upgrade to 2019: stable. Will be out of support sooner than 2022

    Upgrade to 2022: stable for its core.

  • Many thanks Steve, this does appear to have been resolved in the latest patches that were pushed out by Microsoft this month.

    I am struggling to identify which specific KB or Hotfix number has done this, but I can see that our ODBC Driver 13 is now on version 13.3.6435.1 and our Armor vulnerability scanner is no longer raising this as a vulnerability.

    It's just a shame Microsoft took 4 months to get there! The Microsoft web pages still have links to multiple earlier versions which have been identified as being vulnerable, so it would be nice if they made the latest driver available as a separate download.

    • This reply was modified 1 year, 2 months ago by  zoggling.
    Attachments:
    You must be logged in to view attached files.
  • This was removed by the editor as SPAM

  • This was removed by the editor as SPAM

Viewing 12 posts - 31 through 41 (of 41 total)

You must be logged in to reply to this topic. Login to reply