SQL Server Security Update: January 12, 2021
Microsoft has issued an important security update that affects all installations of SQL Server 2012-2019. This security update addresses an elevation of privilege vulnerability which can allow data to be sent over a network to an affected SQL Server instance that might cause code to run against the SQL Server process if a certain extended event is enabled. (https://support.microsoft.com/en-us/help/4583468/kb4583468-microsoft-sql-server-elevation-of-privilege-vulnerability)
The ”certain Extended Event” has not been disclosed at this time.
You can read the MSRC Security Update Guide document CVE-2021-1636 for more detailed information, and to learn which specific versions of SQL Server are affected by this vulnerability. NOTE: If you are running an instance of SQL Server 2012 or higher and do not find your version number listed, then your SQL Server version is no longer supported and needs an update to the latest Service Pack and/or Cumulative Update.
We recommend all SQL Server users apply this security update during the next available maintenance window to patch this vulnerability.