Critical Security Issue in Extended Events Fixed in Latest SQL Server Updates
Microsoft has released a security update for SQL Server to address vulnerabilities in Extended Events that can allow arbitrary code execution. The vulnerability, tracked as CVE-2021-1636, affects multiple versions of SQL Server, including SQL Server 2019, 2017, 2016, and 2014.
According to Microsoft, the vulnerability exists because of a flaw in the way Extended Events handles certain requests. An attacker who successfully exploits the vulnerability could execute arbitrary code in the context of the SQL Server process if a specific Extended Event is enabled.
To address the vulnerability, Microsoft has released a security update in the form of a General Distribution Release (GDR) for the affected versions of SQL Server. The following updates are available:
- SQL Server 2019 CU8 GDR
- SQL Server 2017 CU22 GDR
- SQL Server 2016 SP2 CU15 GDR
- SQL Server 2014 SP3 CU4 GDR
There are also GDRs available for other patch levels, such as if you’re on SQL Server 2016 but not on SP2 yet.
Microsoft has recommended that customers update their installations as soon as possible to protect against this vulnerability. The update can be downloaded from the Microsoft Update Catalog or distributed via Windows Update.
This is not the first time that Extended Events have been found to be vulnerable to attack. In 2018, a similar vulnerability (CVE-2018-8273) was discovered that affected multiple versions of SQL Server, including SQL Server 2017 and 2016. In that case, an attacker could execute code in the context of the SQL Server service account by exploiting a vulnerability in the Extended Events feature.
In conclusion, if you’re running any of the affected versions of SQL Server, it is essential to install the security update to protect against this vulnerability. Failure to do so could allow attackers to execute arbitrary code on your SQL Server instance, potentially leading to a compromise of sensitive data.