We've released hotfix packages for the following drivers to address important security issues:
Related CVEs for these updates are the following:
For ODBC:
CVE-2024-28929 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28930 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28931 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28932 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28933 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28934 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28935 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28936 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28937 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28938 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28941 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28943 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29043 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
For OLE DB:
CVE-2024-28906 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28908 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28909 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28910 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28911 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28912 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28913 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28914 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28915 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28926 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28927 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28939 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28940 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28942 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28944 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28945 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29044 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29045 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29046 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29047 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29048 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29984 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29983 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29982 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29985 - Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
All the issues involve connecting to a malicious server that sends malicious data in order to compromise a client. These driver updates are available via Microsoft Update, standalone download, and are included in the SQL Server 2019 and SQL Server 2022 updates that released April 9, 2024.
For Windows installations, automatic updates will be provided via Microsoft Update or you can download the packages directly:
Linux and macOS packages for ODBC are also available and can be updated via package managers on most platforms. For installation details and manual instructions, see the online instructions for Linux or macOS.
**** UPDATE ****
If you need the packages from the Microsoft Update catalog, unfortunately those weren't uploaded with unique names. Here is a table to help you to identify and download them. These packages are wrappers around the MSI packages and only perform a silent install/update. The update package for Microsoft OLE DB Driver 19 for SQL Server also includes the VC Runtime to ensure a seamless update from OLE DB driver version 19.2 or lower.
Microsoft ODBC Driver 17 for SQL Server
Microsoft ODBC Driver 18 for SQL Server
Microsoft OLE DB Driver 19 for SQL Server
Microsoft OLE DB Driver for SQL Server
On Windows, look in Add or remove programs. The version is shown with the installed package. Additionally, you can look at the file properties of the installed files and inspect the Product Version field in the Details. Here are the main files for each driver:
On Linux you can use package manager commands to view the version of the installed ODBC driver package. Or you can look directly at the files, which live in /opt/microsoft/msodbcsql17/lib64/ or /opt/microsoft/msodbcsql18/lib64/ and have the version in their name: libmsodbcsql-17.X.so.X.X or libmsodbcsql-18.X.so.X.X.
We are committed to improving quality and bringing more feature support for connecting to SQL Server Azure SQL Database Azure SQL DW, and Azure SQL Managed Instance through regular driver releases. We invite you to explore the latest the Microsoft Data Platform has to offer via a trial of Microsoft Azure SQL Database or by evaluating Microsoft SQL Server.
David Engel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.