Protect yourself against future threats.
=========================================================================== AUSCERT Security Bulletin ASB-2024.0063 Microsoft Patch Tuesday update for Microsoft SQL Server for April 2024 10 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft ODBC Driver Microsoft OLE DB Driver Microsoft SQL Server 2019 Microsoft SQL Server 2022 Operating System: Windows Linux macOS Resolution: Patch/Upgrade CVE Names: CVE-2024-28942 CVE-2024-28943 CVE-2024-28944 CVE-2024-29045 CVE-2024-29046 CVE-2024-29047 CVE-2024-29048 CVE-2024-29982 CVE-2024-29983 CVE-2024-29984 CVE-2024-29985 CVE-2024-28929 CVE-2024-28930 CVE-2024-28931 CVE-2024-28932 CVE-2024-28933 CVE-2024-28934 CVE-2024-28935 CVE-2024-28936 CVE-2024-28937 CVE-2024-28938 CVE-2024-28906 CVE-2024-28908 CVE-2024-28909 CVE-2024-28910 CVE-2024-28911 CVE-2024-28912 CVE-2024-28913 CVE-2024-28914 CVE-2024-28915 CVE-2024-28926 CVE-2024-28927 CVE-2024-28939 CVE-2024-28940 CVE-2024-28941 Comment: CVSS (Max): 8.8 CVE-2024-28906 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C) CVSS Source: Microsoft Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C OVERVIEW Microsoft has released its monthly security patch update for the month of April 2024. This update resolves 38 vulnerabilities across the following product(s): [1] Microsoft ODBC Driver 17 for SQL Server on Linux Microsoft ODBC Driver 17 for SQL Server on MacOS Microsoft ODBC Driver 17 for SQL Server on Windows Microsoft ODBC Driver 18 for SQL Server on Linux Microsoft ODBC Driver 18 for SQL Server on MacOS Microsoft ODBC Driver 18 for SQL Server on Windows Microsoft OLE DB Driver 18 for SQL Server Microsoft OLE DB Driver 19 for SQL Server Microsoft SQL Server 2019 for x64-based Systems (CU 25) Microsoft SQL Server 2019 for x64-based Systems (GDR) Microsoft SQL Server 2022 for x64-based Systems (CU 12) Microsoft SQL Server 2022 for x64-based Systems (GDR) IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2024-28906 Remote Code Execution Important CVE-2024-28908 Remote Code Execution Important CVE-2024-28909 Remote Code Execution Important CVE-2024-28910 Remote Code Execution Important CVE-2024-28911 Remote Code Execution Important CVE-2024-28912 Remote Code Execution Important CVE-2024-28913 Remote Code Execution Important CVE-2024-28914 Remote Code Execution Important CVE-2024-28915 Remote Code Execution Important CVE-2024-28926 Remote Code Execution Important CVE-2024-28927 Remote Code Execution Important CVE-2024-28929 Remote Code Execution Important CVE-2024-28930 Remote Code Execution Important CVE-2024-28931 Remote Code Execution Important CVE-2024-28932 Remote Code Execution Important CVE-2024-28933 Remote Code Execution Important CVE-2024-28934 Remote Code Execution Important CVE-2024-28935 Remote Code Execution Important CVE-2024-28936 Remote Code Execution Important CVE-2024-28937 Remote Code Execution Important CVE-2024-28938 Remote Code Execution Important CVE-2024-28939 Remote Code Execution Important CVE-2024-28940 Remote Code Execution Important CVE-2024-28941 Remote Code Execution Important CVE-2024-28942 Remote Code Execution Important CVE-2024-28943 Remote Code Execution Important CVE-2024-28944 Remote Code Execution Important CVE-2024-28945 Remote Code Execution Important CVE-2024-29043 Remote Code Execution Important CVE-2024-29044 Remote Code Execution Important CVE-2024-29045 Remote Code Execution Important CVE-2024-29046 Remote Code Execution Important CVE-2024-29047 Remote Code Execution Important CVE-2024-29048 Remote Code Execution Important CVE-2024-29982 Remote Code Execution Important CVE-2024-29983 Remote Code Execution Important CVE-2024-29984 Remote Code Execution Important CVE-2024-29985 Remote Code Execution Important MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue for the following Knowledge Base articles. [1]. KB5035432, KB5035434, KB5036335, KB5036343, KB5037570 KB5037571, KB5037572, KB5037573 REFERENCES [1] Microsoft Security Update Guidance https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================