Description of the security update for the remote code execution vulnerability in SQL Server 2016 SP1 (GDR): August 14, 2018

Applies to: SQL Server 2016 Service Pack 1

Summary

A buffer overflow vulnerability exists in Microsoft SQL Server that could allow remote code execution on an affected system. An attacker who successfully exploits this vulnerability could execute code in the context of the SQL Server Database Engine service account.

To learn more about the vulnerability, go to CVE-2018-8273.

Known issues

On Tuesday August 14, we published a Security Update for six different releases of SQL Server 2016 and 2017. For one of those releases, SQL Server 2016 SP1 GDR (KB 4293801), an issue may occur after you apply the update in which the sqlceip.exe process experiences an unhandled exception. This will occur only if the updated instance was currently configured to collect SQL Customer Experience Improvement Program (CEIP) information. This does not affect the operation of the updated SQL Server engine. However, this may affect a SQL Server Failover Cluster Instance node if it's configured for CEIP.

Therefore, this update has been replaced. If you have previously applied the original update 4293801, we recommend that you install update KB 4458842 as soon as possible.

You can optionally first uninstall update KB 4293801, but this is not necessary because update KB 4458842 supersedes and replaces KB 4293801.

More Information

How to obtain help and support for this security update

Last Updated: Apr 16, 2020