We've released hotfix packages for the following drivers to address an important security issue:
- Microsoft OLE DB Driver for SQL Server (version 18.7.4 release notes / download)
- Microsoft OLE DB Driver 19 for SQL Server (version 19.3.5 release notes / download)
The CVE for these OLE DB driver updates is:
The issue involves connecting to a malicious server that sends malicious data in order to compromise a client. These driver updates are available via Microsoft Update, standalone download, and are included in the SQL Server 2019 and SQL Server 2022 updates that released July 9, 2024.
Next steps
For Windows installations, automatic updates will be provided via Microsoft Update or you can download the packages directly:
- Microsoft OLE DB Driver 18 for SQL Server (version 18.7.4 download)
- Microsoft OLE DB Driver 19 for SQL Server (version 19.3.5 download)
How do I know what version of a driver I have installed?
On Windows, look in Add or remove programs. The version is shown with the installed package. Additionally, you can look at the file properties of the installed files and inspect the Product Version field in the Details. Here are the main files for each driver:
- Microsoft OLE DB Driver for SQL Server - %Windir%\system32\msoledbsql.dll
- Microsoft OLE DB Driver 19 for SQL Server - %Windir%\system32\msoledbsql19.dll
Roadmap
We are committed to improving quality and bringing more feature support for connecting to SQL Server Azure SQL Database Azure Synapse Analytics, and Azure SQL Managed Instance through regular driver releases. We invite you to explore the latest the Microsoft Data Platform has to offer via a trial of Microsoft Azure SQL Database or by evaluating Microsoft SQL Server.
David Engel
Microsoft
