SSRS Zero-Day patching?

  • Hello all,

    I've been tasked (rather randomly) with finding out if there is somewhere we can specifically find any Microsoft zero-day patches that would need to be applied to SSRS servers.  Mind you, I don't handle patching of any kind for our servers, so I'm at a bit of a loss as to where I should go.

     

  • SSRS patching has changed since 2017 and it being a separate installer.

    The below is the official doc on when fixes are released etc

    https://docs.microsoft.com/en-us/sql/reporting-services/release-notes-reporting-services?view=sql-server-ver15#sql-server-2019-reporting-services

    However there is no separate exe for the patch like SQL, you download the full SSRS installer again and install over the top.

  • Thanks, Ant-Green!

    Would this link specifically address zero-day patching or is it just the usual monthly/regular patching here?  And we have SQL 2016, which isn't included in this specific link (2017 and later).  (I tried the left menu which shows SQL 2016 but doesn't actually navigate to anything other than 2019 - weird.)

    I found this other link with similar data for 2016 but I'm guessing it's not the same thing (patching); since it changed with 2017.

    https://docs.microsoft.com/en-us/sql/sql-server/sql-server-2016-release-notes?view=sql-server-2016

    It sounds like I'm supposed to be focusing on the zero-day patching, covering patches needing to be applied immediately to fix security issues with SSRS specifically.  Not even sure if that exists, or if it's something that's already covered with some overarching zero-day patching....??

    (Sorry again for my cluelessness, a bit out of my element here).

     

  • Zero day exploits you referring to?

    For that I would look at ZeroDayLab / CyberClan etc to see what’s been reported.

    Never seen Microsoft acknowledge a CVE until after they have issued the fix so people don’t take advantage of it.

    2016 is different, SSRS was still part of the full product then, so all the patch information is part of the usual KB articles.

    Since it split to be a separate thing in 2017 that’s where the new doc came out.

  • You are a veritable font of information, sir.  Thank you.

    I actually feel much more educated on the subject now; I might actually be able to pose an intelligent response on this point.

    Thanks again, much appreciated.

  • I don't know who maintains this list, but it is always up to date.

     

    https://sqlserverbuilds.blogspot.com/

    Michael L John
    If you assassinate a DBA, would you pull a trigger?
    To properly post on a forum:
    http://www.sqlservercentral.com/articles/61537/

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply