Vulnerability scan RRS feed

  • Question

  • Hi i am looking for some feedback regarding these below concerns. Our servers have SQL server 2008 R2 -SP2 enterprise edition

    we received these vulnerabilities when we performaned vulnerability scan.
    1. Microsoft Foundation Class Library Remote Code Execution Vulnerability (MS11-025)

    -- So based on my read of the Security Bulletin this is likely for the Microsoft Visual C++ Redistributable Package (since we don’t install Visual Studio on the servers)
    Does this usually get installed when we install SQL server 2008? can some one clarify and would there be any issues if i remove it from Database server?

    2. Microsoft Windows GDI+ Remote Code Execution Vulnerability (MS09-062)
    Is this a known vulnerability and do i need to patch the DB servers when i get this?

    3.Microsoft XML Editor Information Disclosure Vulnerability (MS11-049)

    Is this a SQL server vulnerability? Do i need to patch the server?


    All these security patches are released before SQL server 2008 R2 SP2 release date- 

    But if i go for applying this patch- the bulletin does not have anything for my SQL version. They have updates only for SQL 2008 R2 RTM only. PLease see below link.

    I am confused as in the "applies to" section i dont see for SQL server 2008 R2 SP2. WHen you see closely in applies to section i can see for SQL 2005 SP4 and SQL 2008 SP2, SQL 2008 SP1 etc. but not for SQL server 2008 R2 SP2.

    Do i need to still apply this security patches?

    Wednesday, June 4, 2014 2:07 PM

All replies

  • It seems reasonable to assume that these fixes are included in SQL 2008 SP2 - as far as SQL Server are concerned by them. None of them looks directly SQL Server to me. You have other components on your system that are affected by these vulnerabilities.

    What tool did you use for the vulnerability scan? Have you spoken to that vendor why they think you are open for these vulnerabilities?

    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    Wednesday, June 4, 2014 9:26 PM