Recently, Microsoft in February Patch Tuesday fixes a serious security incident loopholes in Reporting Services (CVE-2020-0618) Microsoft SQL Server. "When the Microsoft SQL Server Reporting Services incorrectly processes the page request, it will exist a remote code execution vulnerability. Attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account. To exploit this vulnerability, an authenticated the attacker would need to submit a special page request to the affected instance of Reporting Services. "PoC correlation analysis and published on the Internet.
Affected versions
| product | version | Patch number |
|---|---|---|
| SQL Server 2016 Service Pack 2(GDR) | 13.0.5026.0 – 13.0.5101.9 | KB4505220 |
| SQL Server 2016 Service Pack 2 CU11 | 13.0.5149.0 – 13.0.5598.27 | KB4527378 |
| SQL Server 2014 Service Pack 3 (GDR) | 12.0.6024.0 – 12.0.6108.1 | KB4505218 |
| Server 2014 Service Pack 2 CU4 | 12.0.6205.1 – 12.0.6329.1 | KB4500181 |
| SQL Server 2012 Service Pack 4 (QFE) | 111.0.7001.0 – 11.0.7462.6 | KB4057116 |
Solution
Please follow Microsoft's guidelines fix this flaw.