Protect yourself against future threats.
===========================================================================
AUSCERT Security Bulletin
ASB-2024.0063
Microsoft Patch Tuesday update for Microsoft SQL Server for April 2024
10 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft ODBC Driver
Microsoft OLE DB Driver
Microsoft SQL Server 2019
Microsoft SQL Server 2022
Operating System: Windows
Linux
macOS
Resolution: Patch/Upgrade
CVE Names: CVE-2024-28942 CVE-2024-28943 CVE-2024-28944
CVE-2024-29045 CVE-2024-29046 CVE-2024-29047
CVE-2024-29048 CVE-2024-29982 CVE-2024-29983
CVE-2024-29984 CVE-2024-29985 CVE-2024-28929
CVE-2024-28930 CVE-2024-28931 CVE-2024-28932
CVE-2024-28933 CVE-2024-28934 CVE-2024-28935
CVE-2024-28936 CVE-2024-28937 CVE-2024-28938
CVE-2024-28906 CVE-2024-28908 CVE-2024-28909
CVE-2024-28910 CVE-2024-28911 CVE-2024-28912
CVE-2024-28913 CVE-2024-28914 CVE-2024-28915
CVE-2024-28926 CVE-2024-28927 CVE-2024-28939
CVE-2024-28940 CVE-2024-28941
Comment: CVSS (Max): 8.8 CVE-2024-28906 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
OVERVIEW
Microsoft has released its monthly security patch update for the
month of April 2024.
This update resolves 38 vulnerabilities across the following
product(s): [1]
Microsoft ODBC Driver 17 for SQL Server on Linux
Microsoft ODBC Driver 17 for SQL Server on MacOS
Microsoft ODBC Driver 17 for SQL Server on Windows
Microsoft ODBC Driver 18 for SQL Server on Linux
Microsoft ODBC Driver 18 for SQL Server on MacOS
Microsoft ODBC Driver 18 for SQL Server on Windows
Microsoft OLE DB Driver 18 for SQL Server
Microsoft OLE DB Driver 19 for SQL Server
Microsoft SQL Server 2019 for x64-based Systems (CU 25)
Microsoft SQL Server 2019 for x64-based Systems (GDR)
Microsoft SQL Server 2022 for x64-based Systems (CU 12)
Microsoft SQL Server 2022 for x64-based Systems (GDR)
IMPACT
Microsoft has given the following details regarding these
vulnerabilities.
Details Impact Severity
CVE-2024-28906 Remote Code Execution Important
CVE-2024-28908 Remote Code Execution Important
CVE-2024-28909 Remote Code Execution Important
CVE-2024-28910 Remote Code Execution Important
CVE-2024-28911 Remote Code Execution Important
CVE-2024-28912 Remote Code Execution Important
CVE-2024-28913 Remote Code Execution Important
CVE-2024-28914 Remote Code Execution Important
CVE-2024-28915 Remote Code Execution Important
CVE-2024-28926 Remote Code Execution Important
CVE-2024-28927 Remote Code Execution Important
CVE-2024-28929 Remote Code Execution Important
CVE-2024-28930 Remote Code Execution Important
CVE-2024-28931 Remote Code Execution Important
CVE-2024-28932 Remote Code Execution Important
CVE-2024-28933 Remote Code Execution Important
CVE-2024-28934 Remote Code Execution Important
CVE-2024-28935 Remote Code Execution Important
CVE-2024-28936 Remote Code Execution Important
CVE-2024-28937 Remote Code Execution Important
CVE-2024-28938 Remote Code Execution Important
CVE-2024-28939 Remote Code Execution Important
CVE-2024-28940 Remote Code Execution Important
CVE-2024-28941 Remote Code Execution Important
CVE-2024-28942 Remote Code Execution Important
CVE-2024-28943 Remote Code Execution Important
CVE-2024-28944 Remote Code Execution Important
CVE-2024-28945 Remote Code Execution Important
CVE-2024-29043 Remote Code Execution Important
CVE-2024-29044 Remote Code Execution Important
CVE-2024-29045 Remote Code Execution Important
CVE-2024-29046 Remote Code Execution Important
CVE-2024-29047 Remote Code Execution Important
CVE-2024-29048 Remote Code Execution Important
CVE-2024-29982 Remote Code Execution Important
CVE-2024-29983 Remote Code Execution Important
CVE-2024-29984 Remote Code Execution Important
CVE-2024-29985 Remote Code Execution Important
MITIGATION
Microsoft recommends updating the software with the version made
available on the Microsoft Update Catalogue for the following
Knowledge Base articles. [1].
KB5035432, KB5035434, KB5036335, KB5036343, KB5037570
KB5037571, KB5037572, KB5037573
REFERENCES
[1] Microsoft Security Update Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================