Update: Security hotfixes released for ODBC and OLE DB drivers for SQL Server

We've released hotfix packages for the following drivers to address important security issues:

• Microsoft ODBC Driver 17.10.6 for SQL Server (release notes / download)
• Microsoft ODBC Driver 18.3.3 for SQL Server (release notes / download)
• Microsoft OLE DB Driver 18.7.2 for SQL Server (release notes / download)
• Microsoft OLE DB Driver 19.3.3 for SQL Server (release notes / download)

Related CVEs for these updates are the following:

For ODBC:

• CVE-2024-28929 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28930 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28931 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28932 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28933 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28934 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28935 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28936 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28937 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28938 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28941 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28943 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-29043 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

For OLE DB:

• CVE-2024-28906 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28908 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28909 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28910 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28911 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28912 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28913 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28914 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28915 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28926 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28927 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28939 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28940 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28942 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28944 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-28945 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-29044 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-29045 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-29046 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-29047 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-29048 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-29984 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-29983 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-29982 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

• CVE-2024-29985 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

All the issues involve connecting to a malicious server that sends malicious data in order to compromise a client. These driver updates are available via Microsoft Update, standalone download, and are included in the SQL Server 2019 and SQL Server 2022 updates that released April 9, 2024.

Next steps

For Windows installations, automatic updates will be provided via Microsoft Update or you can download the packages directly:

• Microsoft ODBC Driver 17.10.6 for SQL Server (download)
• Microsoft ODBC Driver 18.3.3 for SQL Server (download)
• Microsoft OLE DB Driver 18.7.2 for SQL Server (download)
• Microsoft OLE DB Driver 19.3.3 for SQL Server (download)

Linux and macOS packages for ODBC are also available and can be updated via package managers on most platforms. For installation details and manual instructions, see the online instructions for Linux or macOS.

How do I know what version of a driver I have installed?

On Windows, look in Add or remove programs. The version is shown with the installed package. Additionally, you can look at the file properties of the installed files and inspect the Product Version field in the Details. Here are the main files for each driver:

• Microsoft ODBC Driver 17 for SQL Server - %Windir%\system32\msodbcsql17.dll
• Microsoft ODBC Driver 18 for SQL Server - %Windir%\system32\msodbcsql18.dll
• Microsoft OLE DB Driver 18 for SQL Server - %Windir%\system32\msoledbsql.dll
• Microsoft OLE DB Driver 19 for SQL Server - %Windir%\system32\msodlebsql19.dll

On Linux you can use package manager commands to view the version of the installed package. Or you can look directly at the files, which live in /opt/microsoft/msodbcsql17/lib64/ or /opt/microsoft/msodbcsql18/lib64/ and have the version in their name: libmsodbcsql-17.X.so.X.X or libmsodbcsql-18.X.so.X.X.

Roadmap

We are committed to improving quality and bringing more feature support for connecting to SQL Server Azure SQL Database Azure SQL DW, and Azure SQL Managed Instance through regular driver releases. We invite you to explore the latest the Microsoft Data Platform has to offer via a trial of Microsoft Azure SQL Database or by evaluating Microsoft SQL Server.

David Engel