We've released hotfix packages for the following drivers to address important security issues:
Related CVEs for these updates are the following:
For ODBC:
CVE-2024-28929 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28930 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28931 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28932 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28933 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28934 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28935 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28936 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28937 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28938 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28941 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28943 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29043 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
For OLE DB:
CVE-2024-28906 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28908 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28909 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28910 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28911 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28912 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28913 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28914 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28915 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28926 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28927 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28939 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28940 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28942 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28944 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28945 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29044 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29045 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29046 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29047 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29048 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29984 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29983 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29982 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29985 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
All the issues involve connecting to a malicious server that sends malicious data in order to compromise a client. These driver updates are available via Microsoft Update, standalone download, and are included in the SQL Server 2019 and SQL Server 2022 updates that released April 9, 2024.
For Windows installations, automatic updates will be provided via Microsoft Update or you can download the packages directly:
Linux and macOS packages for ODBC are also available and can be updated via package managers on most platforms. For installation details and manual instructions, see the online instructions for Linux or macOS.
On Windows, look in Add or remove programs. The version is shown with the installed package. Additionally, you can look at the file properties of the installed files and inspect the Product Version field in the Details. Here are the main files for each driver:
On Linux you can use package manager commands to view the version of the installed package. Or you can look directly at the files, which live in /opt/microsoft/msodbcsql17/lib64/ or /opt/microsoft/msodbcsql18/lib64/ and have the version in their name: libmsodbcsql-17.X.so.X.X or libmsodbcsql-18.X.so.X.X.
We are committed to improving quality and bringing more feature support for connecting to SQL Server Azure SQL Database Azure SQL DW, and Azure SQL Managed Instance through regular driver releases. We invite you to explore the latest the Microsoft Data Platform has to offer via a trial of Microsoft Azure SQL Database or by evaluating Microsoft SQL Server.
David Engel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.