Vendor-supported software and patches must be evaluated and patched against newly found vulnerabilities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-40945	SQL2-00-015700	SV-53299r3_rule		High

Description
Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Any time new software code is introduced to a system there is the potential for unintended consequences. There have been documented instances where the application of a patch has caused problems with system integrity or availability. Due to information system integrity and availability concerns, organizations must give careful consideration to the methodology used to carry out automatic updates. If SQL Server were no longer supported, no patches from Microsoft would address newly discovered security vulnerabilities. Unpatched software is vulnerable to attack.

Description

Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Any time new software code is introduced to a system there is the potential for unintended consequences. There have been documented instances where the application of a patch has caused problems with system integrity or availability. Due to information system integrity and availability concerns, organizations must give careful consideration to the methodology used to carry out automatic updates. If SQL Server were no longer supported, no patches from Microsoft would address newly discovered security vulnerabilities. Unpatched software is vulnerable to attack.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2017-07-13

Details

Check Text ( C-47600r4_chk )
Check Microsoft's list of supported SQL Server versions. To locate the correct web page, perform a web search for "Microsoft SQL Server end of support." To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerabilities. Check SQL Server version by running the following command: print @@version If the security patch support for SQL Server cannot be determined or SQL Server version is not shown as supported, this is a finding. If SQL Server does not contain the latest security patches, this is a finding.

Check Text ( C-47600r4_chk )

Check Microsoft's list of supported SQL Server versions. To locate the correct web page, perform a web search for "Microsoft SQL Server end of support."

To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerabilities.

Check SQL Server version by running the following command:
print @@version

If the security patch support for SQL Server cannot be determined or SQL Server version is not shown as supported, this is a finding.

If SQL Server does not contain the latest security patches, this is a finding.

Fix Text (F-46227r2_fix)
Upgrade SQL Server to the Microsoft-supported version. Apply the latest SQL Server patches after evaluation of impact.