Hey Checkyourlogs Fans,

We are continuing with our recent fixes for CVEs released for Veeam Servers. The next one in this series deals with OLEDB versions that can be exploited.

We will focus on the latest one in this list as, once again, patching the latest CVE fixes, typically the older ones.

CVE-2023-36417 is related to Microsoft ODBC and OLE DB Remote Code Execution Vulnerability.

Microsoft’s fix for this is to update OLEDB to the latest version.

So, as always, let’s check our current version distribution and see where we are.

We have one Server 2022 and one Server 2019 instance.

We can see that we have 18.4.0.0 and 18.2.3.0, both vulnerable.

So, both will be getting updated.

Remember, we will want to uninstall the older versions of vulnerable if they are still their post-update.

Checking one of the Servers, we can see this is an older install.

Here is some information on downloading the latest version from Microsoft.

https://learn.microsoft.com/en-us/sql/connect/oledb/release-notes-for-oledb-driver-for-sql-server?view=sql-server-ver16

We can see that Version 19.3.2 is the latest version.

The installation is basically a next,next finish.

But wait. Looks like there is a new dependency.

Ok no problem the link is there let’s do it.

https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170

https://aka.ms/vs/17/release/vc_redist.x64.exe

This did require a reboot.

Hmm still have the error it is like it is looking for the x86 version let’s try that.

There we go that did it.

Once again as in the previous two blog posts. We need to clean this up because just installing the new version will not fix the CVE issue.

18.4.0.0 is the one that has the vulnerabilities.

Once again tested the consoles and they were fine with this update.

Hope you enjoy this post,

Dave Kawula

Veeam Vanguard / Microsoft MVP