FAQ
According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.
Mitigation
The following mitigating factors might be helpful in your situation: Exploitation of this vulnerability requires an attacker to trick or convince the victim into connecting to their malicious server. If your environment only connects to known, trusted servers and there is no ability to reconfigure existing connections to point to another location (for example you use TLS encryption with certificate validation), the vulnerability cannot be exploited.
FAQ
According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker could exploit the vulnerability by tricking an authenticated user (CVSS metric UI:R) into attempting to connect to a malicious SQL server via a connection driver (for example: ODBC and / or OLEDB as applicable).
FAQ
If I normally install GDR versions and have not installed the June Cumulative Update, am I affected by the vulnerability? Yes, customers who have installed Microsoft SQL Server 2022 for x64-based Systems (GDR) or Microsoft SQL Server 2019 for x64-based Systems (GDR) are vulnerable. Microsoft recommends updating to the latest cumulative update to be protected from this vulnerability.