There was a security bulletin (CVE-2021-1636) for SQL Server, an elevation of Privilege vulnerability that could be exploited when an Extended Event session is running.
SQL Server has released a number of patches. You can see them on the Release blog, but there are KB links below. If you have any servers that potentially can be accessed by unauthorized traffic, consider patching them.
SQL Server 2019
- CU8 GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2019-rtm-cu8/ba-p/2054315
- RTM GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2019-rtm-gdr/ba-p/2054295
SQL Server 2017
- CU 22 GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2017-rtm-cu22/ba-p/2054270
- RTM GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2017-rtm-gdr/ba-p/2054255
SQL Server 2016
- SP2 CU 15 GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2016-sp2-cu15/ba-p/2054238
- SP2 GDR – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2016-sp2-gdr/ba-p/2054224
SQL Server 2014
- SP3 CU4 – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2014-sp3-cu4/ba-p/2054199
- SP3 – https://techcommunity.microsoft.com/t5/sql-server/security-update-for-sql-server-2014-sp3-gdr/ba-p/2054168
SQL Server 2012
For SQL Server 2016 and earlier, make sure you are at the Service Pack levels listed. If you aren’t, you cannot patch these instances.