On Aug. 14, Microsoft released five patches spanning its SQL Server 2016 and 2017 versions as part of a security hotfix for SQL Server 2016. One of these hotfixes, KB4293807, applies only to instances when Microsoft SQL Server 2016 Service Pack 2 has already been installed. Microsoft released this hotfix in a state that left certain testing trace flags enabled when they’re usually off by default for the general public. Microsoft is not publicly stating what the effects of the enabled trace flags were, but considered the issue important enough to pull KB4293807 from its Microsoft Download Center support site and replace it with KB4458621.
The patches were released to fix a discovered buffer overflow vulnerability that could allow remote code execution on infected system. SQL Server Remote Code Execution Vulnerability CVE-2018-8273, as it’s been labeled, could allow an attacker to take control of an instance and execute code under the context of the SQL Server Database Engine service account.
At publication time, no exploits had been reported. However, organizations should apply the appropriate version of the patch to remove the risk of intrusion, which includes the risk of a denial-of-service-type attack.
If you have already downloaded and installed KB4293807, Microsoft is directing you to uninstall that Cumulative Update and replace it with KB4458621. It’s recommended that you perform this remediation even if you’ve yet to experience any negative impacts the enabled test trace flags may surface.
For more information about the original vulnerability this patch was released to mitigate, and to get links to all five versions of the security update, visit the official security advisory link here.
