There was a security bulletin (CVE-2021-1636) for SQL Server, an elevation of Privilege vulnerability that could be exploited when an Extended Event session is running.
SQL Server has released a number of patches. You can see them on the Release blog, but there are KB links below. If you have any servers that potentially can be accessed by unauthorized traffic, consider patching them.
SQL Server 2019
- CU8 GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2019-rtm-cu8/ba-p/2054315
- RTM GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2019-rtm-gdr/ba-p/2054295
SQL Server 2017
- CU 22 GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2017-rtm-cu22/ba-p/2054270
- RTM GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2017-rtm-gdr/ba-p/2054255
SQL Server 2016
- SP2 CU 15 GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2016-sp2-cu15/ba-p/2054238
- SP2 GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2016-sp2-gdr/ba-p/2054224
SQL Server 2014
- SP3 CU4 – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2014-sp3-cu4/ba-p/2054199
- SP3 – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2014-sp3-gdr/ba-p/2054168
SQL Server 2012
For SQL Server 2016 and earlier, make sure you are at the Service Pack levels listed. If you aren’t, you cannot patch these instances.
Voice of the DBA 
“an elevation of Privilege vulnerability that could be exploited when an Extended Event session is running”
I’m sure Grant will be pleased with that bit of news. 😀
LikeLike
I know it is end of life but does anybody here know if MS released a patch for SQL Server 2008/2008r2 at the same time they released all these in January 2021?
LikeLike