Blog Post

SQL Server Blog
2 MIN READ

Released: Security updates for Microsoft.Data.SqlClient and System.Data.SqlClient

DavidEngelMS's avatar
DavidEngelMS
Icon for Microsoft rankMicrosoft
Jan 09, 2024

We have released security updates to supported versions of Microsoft.Data.SqlClient and System.Data.SqlClient. It is recommended to update references to these versions as soon as possible.

 

A new security vulnerability was announced in the .NET SqlClient drivers that allows an attacker to silently bypass encryption in the connection between a client and a server. The details are discussed in the CVE:

 

CVE-2024-0056 - Security Update Guide - Microsoft - Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

 

We've released to following hotfix packages to address this important security issue:

 

 

What, specifically, do you need to do?

 

If you are using System.Data.SqlClient from .NET Framework, Windows automatic updates will install the January 2024 update(s) for .NET Framework. If automatic updates are disabled, the .NET Framework update listed in the CVE will need to be manually applied.

 

Applications using either the System.Data.SqlClient or Microsoft.Data.SqlClient NuGet Packages need to do the following to be protected: 

 

  • If you are using System.Data.SqlClient on .NET Core, .NET 6, .NET 7, or .NET 8, you must update your application's NuGet package reference to 4.8.6.
    • If you are using the System.Data.SqlClient NuGet package and targeting .NET Framework, you need the January 2024 update(s) for .NET Framework. Updating the NuGet reference is not technically required but is good code hygiene.
  • If you are using Microsoft.Data.SqlClient, anywhere (.NET Core, .NET 6/7/8, .NET Framework) and you are using a version that is vulnerable you must update your NuGet package reference to an updated version: 2.1.7, 3.1.5, 4.0.5, or 5.1.3 

 

An updated version of Microsoft.Data.SqlClient, version 5.1.4, was also released that upgrades the Azure.Identity dependency version to 1.10.3 , which addresses CVE-2023-36414 in that library. (release notes) (download)

 

For a list of supported versions of Microsoft.Data.SqlClient and their support lifecycle, see the SqlClient driver support lifecycle.

 

David Engel

Updated Jan 09, 2024
Version 3.0
  • UkrGuru's avatar
    UkrGuru
    Copper Contributor
    it's great packages. my UkrGuru.SqlJson package follows them, and makes them easy to use...