MS SQL 2016 EOL False positive?

Hi I’m using Greenbone Security Assistant 21.4.3 under Kali Linux to run regular scans against several servers.

Recently, it started to report a high severity vulnerability on a server with SQL 2016 installed. (see below)

This server does have SQL server 2016, but it’s got SP3 installed and the latest update from June 2022 as well. As far as I can see from various sources, security support from Microsoft ends in Jul 2026 for this version of SQL. Or perhaps I have that wrong?

Detection Result

The “Microsoft SQL Server 2016” product on the remote host has reached the end of life. CPE: cpe:/a:microsoft:sql_server:2016 EOL version: 2016 EOL date: 2018-01-09

Product Detection Result

Product [cpe:/a:microsoft:sql_server:2016_server 2016)
Method [Microsoft SQL Server (MSSQL) Detection (TCP/IP Listener) (OID: 1.3.6.1.4.1.25623.1.0.10144)]

Detection Method

Checks if a vulnerable version is present on the target host.

Details: [Microsoft SQL Server End Of Life Detection OID: 1.3.6.1.4.1.25623.1.0.108188]
Version used: 2022-08-04T13:37:02Z

Hi and welcome to the community!

SQL server 2016 SP3 is indeed supported until 2026. I had a look at the detection and it looks like mssql.inc needs an update as it e.g. doesn’t include the SP3 conversion leading to a wrong detection.

We will have a look at it and update it accordingly.

2 Likes

Thanks ckuerste and also for the quick response!

The mentioned include file got updated in the meantime and should arrive in one of the next feed updates.

Thanks again for reporting it and let us know if you still got some false positives.

1 Like