1. D Aggelis
  2. PowerBuilder
  3. Wednesday, 14 February 2024 12:25 PM UTC

Hi,

Recently we received an email from Appeon about Vulnerability CVE-2024-0056.

It states that we should :

"Temporarily refrain from using the ADO.NET database driver for connecting to SQL Server for PowerBuilder and InfoMaker applications...."

We use PowerBuilder 2022 to maintain a custom desktop application. The DB is SQL 2022. The connection string is as follows:

DBMS=ADO.NET
...
ServerName=atlas
...
DBParm=Namespace='System.Data.OleDb',DataSource='atlas',DisableBind=1,DelimitIdentifier='NO',NCharBind=1,trimspaces=1,CommandTimeout=3600,TrustedConnection=0,Provider='SQLOLEDB'"

Microsofts article states that vulnerability refers to System.Data.SqlClient.

Under "ADO Microsoft ADO.NET" section of installed Database Interfaces we have both  System.Data.SqlClient and System.Data.OleDb options, but we use the latter with Provider='SQLOLEDB' .

Is the above safe, or should we change the way our clients connect  to SQL (which means a lot of testing and deploying effort)?

 

Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Wednesday, 14 February 2024 16:10 PM UTC
  2. PowerBuilder
  3. # 1

Hi D;

  You will also note in that bulletin a link over to Microsoft. In the MS description it gives you more details as to exactly which ADO build numbers are affected. So you need to check your ADO driver version with that MS list to see if you are actually affected. Just changing the MS ADO client driver version might be all you need to do.

  However for the long term, Microsoft has switched directions for SS connectivity altogether. They are now only using the new MSOOLDBSQL DB client driver in recent years and will be focusing on this client only going forward. In your PB 2022 Rx Apps, you can switch over to that newer SS DB Client driver by using the following ...

SQLCA.DBMS = "MSO"

Food for thought.  HTH

Regards ... Chris

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.