KB5029377 is the security update for the SQL Server 2019 GDR (General Distribution Release) version. The update was released on 10 October 2023 under the ‘Patch Tuesday’ project.
Salient points
- KB5029377 is the security update for SQL Server on Windows and Linux distributions that operate under the GDR or General Distribution Release.
- KB5029378 is the cumulative security update for SQL Server 2019 CU.
- KB5029377 supersedes or replaces KB5021125. KB5021125 was released on 5 March 2023.
- KB5029377 corresponds to SQL Server 2019 GDR version 15.0.2104.1.
- KB5029377 must be applied to the SQL Server 2019 GDR versions between 15.0.2000.5 and 15.0.2101.7.
- KB5029377 is an executable file with a .exe extension.
- KB5029377 resolves 4 ‘Remote Code Execution’ vulnerabilities and a single ‘Denial of Service’ vulnerability. It also caters to a bug that has been fixed on SQL Server 2019 GDR. The details of the vulnerabilities are shared below.
- The update file is SQLServer2019-KB5029377-x64.exe. The file has SHA256 hash value of 2D7643A4AC140638A23170AA047EB35769B2FA237FA85B7C4793825405F8B1E9. It is strongly recommended to check the hash value of the downloaded update file to ensure that the file is legitimate.
Download KB5029377
KB5029377 can be applied automatically using the Windows Update program.
You could also install the KB5029377 security update for SQL Server 2019 GDR through an offline installer file. The offline installer file can be downloaded using the Microsoft Update Catalog site. Or, you could download the offline installer file from the Microsoft Download Center.
We have shared the Microsoft Update Catalog site and the direct download links of the offline installer file below.
- Download KB5029377 from the Microsoft Update Catalog site
- Direct download KB5029377 file
- Direct download KB5029377 from the Microsoft Download Center
The size of the update file for KB5029377 is 472.3 MB. This update may cause a server reboot. So, we suggest using a managed change window to implement the security update KB5029377 on SQL Server 2019 GDR.
Vulnerabilities
KB5029377 addresses 5 security vulnerabilities on SQL Server 2019 GDR. These threats are shared below. All these threats have ‘IMPORTANT’ severity.
| CVE Details | CVSS Score | Impact | Severity | Comments |
|---|---|---|---|---|
| CVE-2023-36420 | 7.8 | Remote Code Execution | Important | This threat affects the Microsoft ODBC driver for SQL Server. An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via ODBC, which could result in the client receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. |
| CVE–2023-36417 | 7.8 | Remote Code Execution | Important | This threat affects Microsoft SQL OLE DB. Upgrading Microsoft SQL OLE DB driver to version Microsoft OLE DB Driver 18 or 19 resolves the issue. Or, apply the KB5029377 patch. |
| CVE–2023-36730 | 7.8 | Remote Code Execution | Important | This threat affects Microsoft ODBC driver for SQL Server. Apply the security update KB5029377 to resolve the issue. Ensure that your applications use the Microsoft ODBC driver version 17 or 18 to be clear of this vulnerability. |
| CVE–2023-36785 | 7.8 | Remote Code Execution | Important | This threat affects the Microsoft ODBC driver for SQL Server. Apply the security update KB5029377 to resolve the issue. Ensure that your applications use the Microsoft ODBC driver version 17 or 18 to be clear of this vulnerability. An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via ODBC, which could result in the client receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. |
| CVE-2023-36728 | 5.5 | Denial of Service | Important | This vulnerability affects the Microsoft SQL Service. An attacker could impact the availability of the service resulting in Denial of Service (DoS). |
Bug Fixes
KB5029377 resolves the bug identified by 2555117. This bug could allow an attacker to send a malformed TDS (Tabular Data Stream) packet that causes a login failure, unavailability, or other undefined behavior.
October 2023 Cumulative or Security Updates
You may also like to read more about the October 2023 cumulative updates below:
- KB5031354 Cumulative Update for Windows 11 version 22H2
- KB5031356 for Windows 10
- KB5031901 Update for .NET 7.0
- KB5031407 Security Update for Windows Server 2012 R2
- KB5031427 Security Update for Windows Server 2012
- KB5031419 Monthly Rollup for Windows Server 2012 R2
- KB5031442 Monthly Rollup Update for Windows Server 2012
- KB5031364 Cumulative Update for Windows Server 2022
- KB5031362 Cumulative Update for Windows Server 2016
- KB5031361 Cumulative Update for Windows Server 2019
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.