Forum Discussion
Unpatched known vulnerabilities SQL Server 2019 GDR
We are running an installation of SQL Server 2019 GDR (version 15.0.2116.2) and I see we have these vulnerable commons-collections-3.2.1.jar-files present in the following 2 locations:
- C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars
- C:\Program Files (x86)\Microsoft SQL Server\150\DTS\Extensions\Common\Jars
The following CVE's need to be mitigated:
How can we address this? We have installed the latest security update KB5040986
- Hello
I'll suggest you to apply SQL 2019 CU 28 (15.0.4385.2 - August 2024) , which includes the latest GDR released (15.0.4382.1 - July 2024)
https://learn.microsoft.com/en-us/troubleshoot/sql/releases/sqlserver-2019/cumulativeupdate28
- Hello
I'll suggest you to apply SQL 2019 CU 28 (15.0.4385.2 - August 2024) , which includes the latest GDR released (15.0.4382.1 - July 2024)
https://learn.microsoft.com/en-us/troubleshoot/sql/releases/sqlserver-2019/cumulativeupdate28- So I already did install the latest GDR-update KB5040986 from July 9, 2024.
Why would installing KB5039747 make a difference for this particular security issue?
I understand that GDR-updates should contain all security related fixes. Where can I find that installing this patch will resolve this?
Also the CVE's I mentioned are very old already, which make me doubt this:
CVE-2015-6420 ---> published 2015-12-15
CVE-2017-15708 --> published 2017-12-11
I'm asking this, because I don't want to take any risks with this SQL Server installation since it's being used for quite an old application at the time and the software is being maintained by a software supplier who, given our experience with them, aren't going to resolve potential issues quickly.
My goal is to merely resolve these vulnerabilities without taking too much risks.So I took the effort to install this SQL Server 2019 in a test VM-environment and I did apply KB5039747 (version 15.0.4385.2) and indeed the commons-collections-3.2.1.jar is updated to commons-collections-3.2.2.jar
The date of this file is the 25th of July 2024, so pretty recent. Can I assume this fix will be applied in the next DDR-release through Windows Update?
