A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account. To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted page request to an affected Reporting Services instance. The security update addresses the vulnerability by modifying how the Microsoft SQL Server Reporting Services handles page requests.
There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use? First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components. Second, in the table below, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install. Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates. Update number Title Apply if current product version is… This security update also includes servicing releases up through… 4532097 Security update for SQL Server 2016 Service Pack 2 (GDR): Feb 11, 2020 13.0.5026.0 - 13.0.5101.9 KB4505220 - Previous SQL16 SP2 GDR 4535706 Security update for SQL Server 2016 Service Pack 2 CU11: Feb 11, 2020 13.0.5149.0 - 13.0.5598.27 KB4527378 – SQL16 SP2 CU11 4532095 Security update for SQL Server 2014 Service Pack 3 (GDR): Feb 11, 2020 12.0.6024.0 - 12.0.6108.1 KB4505218 - Previous SQL14 SP3 GDR 4535288 Security update for SQL Server 2014 Service Pack 2 CU4: Feb 11, 2020 12.0.6205.1 - 12.0.6329.1 KB4500181 – SQL14 SP3 CU4 4532098 Security update for SQL Server 2012 Service Pack 4 (QFE): Feb 11, 2020 11.0.7001.0 - 11.0.7462.6 KB4057116 – Previous SQL12 SP4 QFE What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release. GDR updates – cumulatively only contain security updates for the given basel
Maturity: Exploit
Soroush Dalili (<a href="https://twitter.com/irsdl">@irsdl</a>)