MS SQL 2016 EOL False positive?

d.winter · August 16, 2022, 1:14pm

Hi I’m using Greenbone Security Assistant 21.4.3 under Kali Linux to run regular scans against several servers.

Recently, it started to report a high severity vulnerability on a server with SQL 2016 installed. (see below)

This server does have SQL server 2016, but it’s got SP3 installed and the latest update from June 2022 as well. As far as I can see from various sources, security support from Microsoft ends in Jul 2026 for this version of SQL. Or perhaps I have that wrong?

Detection Result

The “Microsoft SQL Server 2016” product on the remote host has reached the end of life. CPE: cpe:/a:microsoft:sql_server:2016 EOL version: 2016 EOL date: 2018-01-09

Product Detection Result

Product	[cpe:/a:microsoft:sql_server:2016_server 2016)
Method	[Microsoft SQL Server (MSSQL) Detection (TCP/IP Listener) (OID: 1.3.6.1.4.1.25623.1.0.10144)]

Detection Method

Checks if a vulnerable version is present on the target host.

Details:	[Microsoft SQL Server End Of Life Detection OID: 1.3.6.1.4.1.25623.1.0.108188]
Version used:	2022-08-04T13:37:02Z

ckuerste · August 17, 2022, 1:55am

Hi and welcome to the community!

SQL server 2016 SP3 is indeed supported until 2026. I had a look at the detection and it looks like mssql.inc needs an update as it e.g. doesn’t include the SP3 conversion leading to a wrong detection.

We will have a look at it and update it accordingly.

d.winter · August 17, 2022, 7:35am

Thanks ckuerste and also for the quick response!

ckuerste · August 22, 2022, 1:33am

The mentioned include file got updated in the meantime and should arrive in one of the next feed updates.

Thanks again for reporting it and let us know if you still got some false positives.

jailsonxlima · December 1, 2023, 2:06pm

Do you have any stance on this update? Did you resolve the vulnerability issue?