Title: Vendor supported software must be evaluated and patched against newly found vulnerabilities.
Vulnerability ID: V-32410
STIG ID: SRG-APP-000133-DB-000205
IA Controls: None
Description: Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed expeditiously. Anytime new software code is introduced to a system there is the potential for unintended consequences. There have been documented instances where the application of a patch has caused problems with system integrity or availability. Due to information system integrity and availability concerns, organizations must give careful consideration to the methodology used to carry out automatic updates. Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack.
Check Text: Follow the vendor instruction for determining the product version number. View the vendor-provided list of supported versions. To be considered supported, the vendor must report that the version is supported by security patches to reported vulnerabilities. If the security patch support for the installed version cannot be determined or the version is not shown as supported, this is a finding.
If the software does not contain the latest security patches, this is a finding.
Fix Text: Upgrade the DBMS to a vendor supported version. Apply latest DBMS patches.[divider]
It is important to review the version of SQL Server you have and make sure it is up to date. It is also important to not just blindly update SQL Server. In general service packs are safe to install, but you should plan to have a test system on which you can test the patches and service packs prior to deploying to a production environment. We have an article we work to keep up to date with all the versions of SQL Server you may be running. You can check out our post here and use it to check the version of SQL Server you are running.
To check the version number of your SQL Server you can use the simple T-SQL statement Select @@version in SSMS. Then you can check your version against the list of all releases to see how up to date your SQL Server is.