Blog Post

SQL Server Blog
3 MIN READ

Update: Hotfixes released for ODBC and OLE DB drivers for SQL Server

DavidEngelMS's avatar
DavidEngelMS
Icon for Microsoft rankMicrosoft
Jun 15, 2023

We've released hotfix packages for the following drivers to address important security issues:

 

 

Related CVEs for these updates are the following:

 

 

All the issues involve a malicious server sending malicious data in order to compromise a client. These driver updates are included in SQL Server 2019 CU21 and SQL Server 2022 CU5. If you use the drivers in the context of either of those installs, those updates will update the drivers for you. If you have deployed the drivers as part of a standalone application, you may want to consider updating them. The vulnerabilities require a potential attacker to direct a connection to a malicious server, so if your scenario allows that, you should update.

 

Next steps

For Windows installations, you can directly download the packages:

  • Microsoft ODBC Driver 17.10.4 for SQL Server (download)
  • Microsoft ODBC Driver 18.2.2 for SQL Server (download)
  • Microsoft OLE DB Driver 18.6.6 for SQL Server (download)
  • Microsoft OLE DB Driver 19.3.1 for SQL Server (download)

Linux and macOS packages for ODBC are also available and can be updated via package managers on most platforms. For installation details and manual instructions, see the online instructions for Linux or macOS.

 

How do I know what version of a driver I have installed?

On Windows, look in Add or remove programs. The version is shown with the installed package. Additionally, you can look at the file properties of the installed files and inspect the Product Version field in the Details. Here are the main files for each driver:

 

    • Microsoft ODBC Driver 17 for SQL Server - %Windir%\system32\msodbcsql17.dll
    • Microsoft ODBC Driver 18 for SQL Server - %Windir%\system32\msodbcsql18.dll
    • Microsoft OLE DB Driver 18 for SQL Server - %Windir%\system32\msoledbsql.dll
    • Microsoft OLE DB Driver 19 for SQL Server - %Windir%\system32\msodlebsql19.dll

On Linux you can use package manager commands to view the version of the installed package. Or you can look directly at the files, which live in /opt/microsoft/msodbcsql17/lib64/ or /opt/microsoft/msodbcsql18/lib64/ and have the version in their name: libmsodbcsql-17.X.so.X.X or libmsodbcsql-18.X.so.X.X.

 

Roadmap

We are committed to improving quality and bringing more feature support for connecting to SQL Server Azure SQL Database Azure SQL DW, and Azure SQL Managed Instance through regular driver releases. We invite you to explore the latest the Microsoft Data Platform has to offer via a trial of Microsoft Azure SQL Database or by evaluating Microsoft SQL Server.

David Engel

Updated Jun 16, 2023
Version 3.0
sqlserverdrivers

13 Comments

Sort By
Show More
  • carlotista23's avatar
    carlotista23
    Copper Contributor
    Jul 11, 2023

    Have you already found a solution for this problem regarding Microsoft ODBC Driver 13 for SQL Server? I need to update this version to mitigate this vulnerability.

  • DavidEngelMS's avatar
    DavidEngelMS
    Icon for Microsoft rankMicrosoft
    Jun 28, 2023

    elmarfecker 

     

    There is no update for the MS ODBC Driver 13 for SQL Server for these issues. The CVE announcements only list the versions above.

     

    The ODBC drivers that ship with Windows are updated via Windows Update. Any security issues found in them would be announced in a separate CVE.

     

    Regards,

    David

  • elmarfecker's avatar
    elmarfecker
    Copper Contributor
    Jun 28, 2023

    Hi,

    the ODBC driver 13 is still in 'extended support'. I could not find a fix from. On the mentioned page I could only find a version from 2018, which probably does not contain the fix. Is there such a fix for this version and where can this driver be downloaded.
    What about the ODBC drivers that come with the Windows operating system ? Do they not have the bug or are they updated via the normal WIndows patching ?

    Kind regards 

    Elmar