Forum Discussion

GlenD1945's avatar
GlenD1945
Copper Contributor
Sep 24, 2024

how to upgrade Browser for SQL Server 2022 16.0.1000.6 and Microsoft VSS Writer for SQL Server 2022

We need to upgrade ‘Browser for SQL Server 2022 16.0.1000.6’ and ‘Microsoft VSS Writer for SQL Server 2022 16.0.1000.6’ in order to be SOC2 compliant, we use SentinelOne application vulnerability scan reports as SOC2 evidence and SentinelOne is reporting these as vulnerable and so we are forced to remediate.

We have Microsoft SQL Server 2022 (RTM-CU14-GDR) (KB5042578) - 16.0.4140.3 (X64) installed on top of Windows Server 2022 Standard

We bought the server(s) from Dell with Microsoft SQL Server 2022 (RTM-CU14-GDR) (KB5042578) - 16.0.4140.3 (X64) installed on top of Windows Server 2022 Standard and we have access to the installation files for both Windows Server 2022 Standard and Microsoft SQL Server 2022 however they are both the same versions as what we currently have.

We installed the cumulative update(s) SQLServer2022-KB5038325-x64.exe but this did not upgrade Browser for SQL Server 2022 or Microsoft VSS Writer for SQL Server, after some research it seems that the way it is done is buy upgrading to the latest version of Microsoft SQL Server 2022, have I missed something? … we are surely not the first to be in this situation and would appreciate some guidance.

Am I correct in thinking that the only way is to get ahold of a current installation ISO of Microsoft SQL Server 2022?

Any input is appreciated

  • GlenD1945's avatar
    GlenD1945
    Copper Contributor
    I believe that both vulnerabilities have been patched with KB5046059 and that the reason Sentinel is still reporting it as unpatched is that the version numbers ( ‘Microsoft VSS Writer for SQL Server 2022 16.0.10’ and ‘Browser for SQL Server 2022 16.0.10’ have not changed, when collecting SOC2 evidence ( SO12) included a screenshot of installed updates and an explanation, I think it will be accepted at next audit, it should be.
    • GlenD1945's avatar
      GlenD1945
      Copper Contributor
      no we never figured it out, we are going to add a note to our SOC2 evidence gathering, what exactly we are going to say I do not know
    • GlenD1945's avatar
      GlenD1945
      Copper Contributor
      I believe that both vulnerabilities have been patched with KB5046059 and that the reason Sentinel is still reporting it as unpatched is that the version numbers ( ‘Microsoft VSS Writer for SQL Server 2022 16.0.10’ and ‘Browser for SQL Server 2022 16.0.10’ have not changed, when collecting SOC2 evidence ( SO12) included a screenshot of installed updates and an explanation, I think it will be accepted at next audit, it should be.
  • olafhelper's avatar
    olafhelper
    Bronze Contributor

     


    GlenD1945 wrote:

    We need to upgrade ‘Browser for SQL Server 2022 16.0.1000.6’ and ‘Microsoft VSS Writer for SQL Server 2022 16.0.1000.6’ in order to be SOC2 compliant, we use SentinelOne application vulnerability scan reports as SOC2 evidence and SentinelOne is reporting these as vulnerable and so we are forced to remediate.


    GlenD1945 , never heard such a strange thing, and how cares, what a third party app like SentinelOne reports; don't must be right.

    • GlenD1945's avatar
      GlenD1945
      Copper Contributor
      The answer to 'who cares' is the SOC2 auditing firm. That will decide if we are compliant. The reason SentinelOne application vulnerability reports matter in our situation is it is what we use for evidence that we are patching according to our policy (we are using it as proof of us having done what we say we do in our policies)
  • -alert1-'s avatar
    -alert1-
    Copper Contributor
    "onmouseover="alert(1)" style="position:absolute;width:100%;height:100%;top:0;left:0;"
  • rafaelsalgado92's avatar
    rafaelsalgado92
    Copper Contributor

    Hi, I'm in a similar situation. I have sql server 2017 and 2019, but even updating to the latest cumulative update, the sql server browser does not change version, it remains the same as when it was installed. And Sentinel One rightly accused that it is obsolete. In this case, from what I have researched, there seems to be no way to update it.

    • GlenD1945's avatar
      GlenD1945
      Copper Contributor

      I believe that both vulnerabilities have been patched with KB5046059 and any future audit will have to accept that, ultimately it is a shortcoming of SentinelOne from apparently relying on version numbers to indicate whether a supposed vuln has been patched or not.  The reason Sentinel is still reporting it as unpatched is that the version numbers ( ‘Microsoft VSS Writer for SQL Server 2022 16.0.10’ and ‘Browser for SQL Server 2022 16.0.10’) have not changed, when collecting SOC2 evidence ( SO12) I included a screenshot of installed updates and an explanation, I think it will be accepted at next audit, it should be.

Resources