Symptoms
Data can be sent over a network to an affected Microsoft SQL Server instance that may cause code to run against the SQL Server process if a certain extended event is enabled. See CVE-2021-1636 for detailed information.
Resolution
To fix this issue in the products that are listed in “Applies to,” install the following security update, as appropriate:
-
KB4583458 - Description of the security update for SQL Server 2019 GDR: January 12, 2021
-
KB4583459 - Description of the security update for SQL Server 2019 CU8: January 12, 2021
-
KB4583456 - Description of the security update for SQL Server 2017 GDR: January 12, 2021
-
KB4583457 - Description of the security update for SQL Server 2017 CU22: January 12, 2021
-
KB4583460 - Description of the security update for SQL Server 2016 SP2 GDR: January 12, 2021
-
KB4583461 - Description of the security update for SQL Server 2016 SP2 CU15: January 12, 2021
-
KB4583463 - Description of the security update for SQL Server 2014 SP3 GDR: January 12, 2021
-
KB4583465 - Description of the security update for SQL Server 2012 SP4 GDR: January 12, 2021
-
KB4583462 - Description of the security update for SQL Server 2014 SP3 CU4: January 12, 2021