CVE-2021-1636: 
vulnerability analysis and mitigation

Microsoft SQL Server Elevation of Privilege Vulnerability (CVE-2021-1636) was disclosed on January 12, 2021. This vulnerability affects multiple versions of Microsoft SQL Server including SQL Server 2019, SQL Server 2017, SQL Server 2016 Service Pack 2, SQL Server 2014, and SQL Server 2012 Service Pack 4 (Microsoft KB).

The vulnerability exists when data is sent over a network to an affected Microsoft SQL Server instance that may cause code to run against the SQL Server process if a certain extended event is enabled (Microsoft KB).

This vulnerability could allow an attacker to execute code against the SQL Server process, potentially leading to elevation of privilege (CVE Details).

Microsoft has released security updates to address this vulnerability. The fixes are available through various security updates depending on the SQL Server version: KB4583458 for SQL Server 2019 GDR, KB4583459 for SQL Server 2019 CU8, KB4583456 for SQL Server 2017 GDR, KB4583457 for SQL Server 2017 CU22, KB4583460 for SQL Server 2016 SP2 GDR, KB4583461 for SQL Server 2016 SP2 CU15, KB4583463 for SQL Server 2014 SP3 GDR, KB4583465 for SQL Server 2012 SP4 GDR, and KB4583462 for SQL Server 2014 SP3 CU4 (Microsoft KB).