All the issues involve a malicious server sending malicious data in order to compromise a client. These driver updates are included in SQL Server 2019 CU21 and SQL Server 2022 CU5. If you use the drivers in the context of either of those installs, those updates will update the drivers for you. If you have deployed the drivers as part of a standalone application, you may want to consider updating them. The vulnerabilities require a potential attacker to direct a connection to a malicious server, so if your scenario allows that, you should update.
For Windows installations, you can directly download the packages:
Microsoft ODBC Driver 17.10.4 for SQL Server (download)
Microsoft ODBC Driver 18.2.2 for SQL Server (download)
Microsoft OLE DB Driver 18.6.6 for SQL Server (download)
Microsoft OLE DB Driver 19.3.1 for SQL Server (download)
Linux and macOS packages for ODBC are also available and can be updated via package managers on most platforms. For installation details and manual instructions, see the online instructions for Linux or macOS.
How do I know what version of a driver I have installed?
On Windows, look in Add or remove programs. The version is shown with the installed package. Additionally, you can look at the file properties of the installed files and inspect the Product Version field in the Details. Here are the main files for each driver:
Microsoft ODBC Driver 17 for SQL Server - %Windir%\system32\msodbcsql17.dll
Microsoft ODBC Driver 18 for SQL Server - %Windir%\system32\msodbcsql18.dll
Microsoft OLE DB Driver 18 for SQL Server - %Windir%\system32\msoledbsql.dll
Microsoft OLE DB Driver 19 for SQL Server - %Windir%\system32\msodlebsql19.dll
On Linux you can use package manager commands to view the version of the installed package. Or you can look directly at the files, which live in /opt/microsoft/msodbcsql17/lib64/ or /opt/microsoft/msodbcsql18/lib64/ and have the version in their name: libmsodbcsql-17.X.so.X.X or libmsodbcsql-18.X.so.X.X.