We've released hotfix packages for the following drivers to address important security issues:
- Microsoft ODBC Driver 17 for SQL Server (version 17.10.6 release notes / download)
- Microsoft ODBC Driver 18 for SQL Server (version 18.3.3 release notes / download)
- Microsoft OLE DB Driver for SQL Server (version 18.7.2 release notes / download)
- Microsoft OLE DB Driver 19 for SQL Server (version 19.3.3 release notes / download)
Related CVEs for these updates are the following:
For ODBC:
-
CVE-2024-28929 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28930 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28931 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28932 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28933 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28934 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28935 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28936 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28937 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28938 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28941 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28943 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-29043 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
For OLE DB:
-
CVE-2024-28906 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28908 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28909 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28910 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28911 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28912 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28913 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28914 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28915 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28926 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28927 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28939 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28940 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28942 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28944 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-28945 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-29044 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-29045 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-29046 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-29047 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-29048 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-29984 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-29983 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-29982 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
-
CVE-2024-29985 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
All the issues involve connecting to a malicious server that sends malicious data in order to compromise a client. These driver updates are available via Microsoft Update, standalone download, and are included in the SQL Server 2019 and SQL Server 2022 updates that released April 9, 2024.
Next steps
For Windows installations, automatic updates will be provided via Microsoft Update or you can download the packages directly:
- Microsoft ODBC Driver 17 for SQL Server (version 17.10.6 download)
- Microsoft ODBC Driver for SQL Server (version 18.3.3 download)
- Microsoft OLE DB Driver 18 for SQL Server (version 18.7.2 download)
- Microsoft OLE DB Driver 19 for SQL Server (version 19.3.3 download)
Linux and macOS packages for ODBC are also available and can be updated via package managers on most platforms. For installation details and manual instructions, see the online instructions for Linux or macOS.
**** UPDATE ****
If you need the packages from the Microsoft Update catalog, unfortunately those weren't uploaded with unique names. Here is a table to help you to identify and download them. These packages are wrappers around the MSI packages and only perform a silent install/update. The update package for Microsoft OLE DB Driver 19 for SQL Server also includes the VC Runtime to ensure a seamless update from OLE DB driver version 19.2 or lower.
Microsoft ODBC Driver 17 for SQL Server
Microsoft ODBC Driver 18 for SQL Server
Microsoft OLE DB Driver 19 for SQL Server
Microsoft OLE DB Driver for SQL Server
How do I know what version of a driver I have installed?
On Windows, look in Add or remove programs. The version is shown with the installed package. Additionally, you can look at the file properties of the installed files and inspect the Product Version field in the Details. Here are the main files for each driver:
- Microsoft ODBC Driver 17 for SQL Server - %Windir%\system32\msodbcsql17.dll
- Microsoft ODBC Driver 18 for SQL Server - %Windir%\system32\msodbcsql18.dll
- Microsoft OLE DB Driver for SQL Server - %Windir%\system32\msoledbsql.dll
- Microsoft OLE DB Driver 19 for SQL Server - %Windir%\system32\msoledbsql19.dll
On Linux you can use package manager commands to view the version of the installed ODBC driver package. Or you can look directly at the files, which live in /opt/microsoft/msodbcsql17/lib64/ or /opt/microsoft/msodbcsql18/lib64/ and have the version in their name: libmsodbcsql-17.X.so.X.X or libmsodbcsql-18.X.so.X.X.
Roadmap
We are committed to improving quality and bringing more feature support for connecting to SQL Server Azure SQL Database Azure SQL DW, and Azure SQL Managed Instance through regular driver releases. We invite you to explore the latest the Microsoft Data Platform has to offer via a trial of Microsoft Azure SQL Database or by evaluating Microsoft SQL Server.
David Engel
Updated Sep 24, 2024
Version 4.0DavidEngelMS
Microsoft
Joined January 22, 2020
SQL Server Blog
Follow this blog board to get notified when there's new activity