-1

Microsoft just released this security update CVE-2021-1636 for a Security Vulnerability. Not much information is available at the moment. Any input on the following points will be highly appreciated

  • How critical is this update. Do we need to apply this update as soon as possible?
  • If the SQL server is not available over internet, will it still be vulnerable?

We generally apply updates on Test environments and wait for a month before moving to production if no problem is found. But since we have limited information available for this update, is someone planning to install this update on production servers soon considering it could be critical?

TIA.

Improve this question

3 Answers 3

Reset to default
1

It is critical; my customers are testing it in their dev/test/quality environments. They will install it for sure in a few days.

The exploit is not public, and given the security risk – attackers own the server – I wouldn’t expect them to reveal it publicly anytime soon. It takes forever to get folks patched.

Improve this answer
1

If you look at the metrics Microsoft uses from an independent system (First.org) the Base Score is High with an 8 while the Temporal Score is relatively low with a 3. So in terms of how critical of an issue it is, it is rather important to patch, and the fix is relatively confident of a fix to the vulnerability.

Also important to note the Attack Vector is "network" level coupled with this description on the exploit:

"How can an attacker exploit this vulnerability? An authenticated attacker can send data over a network to an affected SQL Server when configured to run an Extended Event session."

If your SQL Server is completely isolated from outside the intranet, it's probably unlikely to be as much of a vulnerability, but if your network has any potential to be compromised then so does the complete isolation of your SQL Server from the internet.

Improve this answer
1

Yes, patch. I am right now working on a plan to patch 100s of servers in our dev and production environments. Even if you believe your network is impenetrable, there is no harm in being prepared, except the cost of doing so. The cost of being wrong is far, far higher. There aren't a lot of details about the specifics of the exploit because, until everyone is patched, that is giving vital information for both us and those who would use it to exploit us.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.