[German]Currently Microsoft has left some confusion regarding the August 2018 security updates for the SQL server. In other words, SQL Server 2014 SP2 is not included in the updates. Here are some details.
Vulnerability CVE-2018-8273 in SQL Server
Microsoft SQL Server has the Remote Code Execution vulnerability CVE-2018-8273, which is documented in both the National Vulnerability Database under CVE-2018-8273 and in Microsoft’s Security Update Guide. It says there:
A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could execute code in the context of the SQL Server Database Engine service account.
To exploit the vulnerability, an attacker would need to submit a specially crafted query to an affected SQL server.
The security update addresses the vulnerability by modifying how the Microsoft SQL Server Database Engine handles objects in memory.
Security updates for SQL-Server
Microsoft has released a security update for the SQL server to close this vulnerability, even if the exploitability is considered low. So far so good. Then Microsoft wrote:
The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.
Here is the patch list:
- Microsoft SQL Server 2016 for x64-based Systems Service Pack 1: 4293801
- Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (CU): 4293808
- Microsoft SQL Server 2016 for x64-based Systems Service Pack 2: 4293802
- Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU): 4293807
- Microsoft SQL Server 2017 for x64-based Systems: 4293803
- Microsoft SQL Server 2017 for x64-based Systems (CU): 4293805
Susan Bradley has now noticed that Microsoft SQL Server 2016 and 2017 appear in the list. But Microsoft SQL Server 2014 SP2 seems to be missing. She published this on Twitter.
@msftsecresponse CVE-2018-8273 indicates that SQL 2016 and 2017 are vulnerable but hints that prior sql versions are not supported. I can see that SQL 2014 sp2 is still supported. My guess is that CVE-2018-8273 is only vulnerable for SQL 2016 and 2017, is that correct?
— SBSDiva (@SBSDiva) 15. August 2018
There would now be the first interpretation (after the opening note on the Microsoft site) that Microsoft SQL Server 2014 SP2 has fallen out of support. Susan Bradley points out at askwoody.com that this product will continue to receive support through security updates until 2024 (10 years of support).
The other interpretation is, of course, that Microsoft SQL Server 2016 and 2017 have the CVE-2018-8273 vulnerability. But Microsoft SQL Server 2014 is not affected. In the spirit of the Microsoft guidelines that updates should be simple, transparent and plannable, I would have appreciated a short note like ‘Microsoft SQL Server 2014 is not affected’. Microsoft has yet to comment on the facts – at least on Susan Bradley’s tweet. Do you have any other information?
Security update for Adobe Acrobat/Reader
Microsoft Office Patchday (August 7, 2018)
Windows 10 Updates KB4295110/KB4023057 (08/09/2018)
Microsoft Security Update Summary August 14, 2018
Patchday Windows 10-Updates (August 14, 2018)
Patchday: Updates for Windows 7/8.1/Server (August 14, 2018)
Patchday Microsoft Office Updates (August 14, 2018)
Microsoft Patchday: Other Updates (August 14, 2018)