CVE-2023-36728: Microsoft SQL Server Denial of Service Vulnerability

Overview

Severity: Medium (CVSS 5.5)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
Category: Denial of Service
Exploit Status: Not Exploited
Exploitation Likelihood: Less Likely
Patch Tuesday: 2023-Oct
Released: 2023-10-10
Last Updated: 2023-11-14
EPSS Score: 0.08% (percentile: 23.8%)

FAQ

According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of availability (A:H)? What does that mean for this vulnerability? An attacker could impact availability of the service resulting in Denial of Service (DoS). I am running SQL Server on my system. What action do I need to take? Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. I am running my own application on my system. What action do I need to take? Update your application to use Microsoft ODBC Driver 17 (or 18) for SQL Server or Microsoft OLE DB Driver 18 (or 19). Update the drivers to the versions listed on this page, which provide protection against this vulnerability. I am running an application from a software vendor on my system. What action do I need to take? Consult with your application vendor if it is compatible with Microsoft ODBC Driver 17 (or 18) for SQL Server or Microsoft OLE DB Driver 18 (or 19). Update the drivers to the versions listed in this page, which provide protection against this vulnerability There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use? First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components. Second, in the table below, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install. Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates. Update Number Title Apply if current product version is… This security update also includes servicing releases up t

Affected Products (20)

SQL Server

Microsoft SQL Server 2019 for x64-based Systems (CU 22)
Microsoft SQL Server 2022 for x64-based Systems (CU 8)
Microsoft SQL Server 2017 for x64-based Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4)
Microsoft SQL Server 2019 for x64-based Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack
Microsoft SQL Server 2017 for x64-based Systems (CU 31)
Microsoft SQL Server 2022 for x64-based Systems (GDR)
Microsoft OLE DB Driver 19 for SQL Server
Microsoft OLE DB Driver 18 for SQL Server
Microsoft ODBC Driver 17 for SQL Server on Windows
Microsoft ODBC Driver 17 for SQL Server on Linux
Microsoft ODBC Driver 17 for SQL Server on MacOS
Microsoft ODBC Driver 18 for SQL Server on Windows
Microsoft ODBC Driver 18 for SQL Server on Linux
Microsoft ODBC Driver 18 for SQL Server on MacOS

Security Updates (16)

Acknowledgments

<a href="https://twitter.com/vv474172261">VictorV(Tang tianwen)</a> with <a href="https://www.cyberkl.com/">Kunlun Lab</a>

Revision History

2023-10-10: Information published.
2023-10-11: Updated FAQ information. This is an informational change only.
2023-11-14: Updated links to security updates. This is an informational change only.