question about CVE-2024-0056 vulnerability

View Replies (1)

Resolved question about CVE-2024-0056 vulnerability

Advice

0

Votes

Undo

D Aggelis
PowerBuilder
Wednesday, 14 February 2024 12:25 PM UTC

Hi,

Recently we received an email from Appeon about Vulnerability CVE-2024-0056.

It states that we should :

"Temporarily refrain from using the ADO.NET database driver for connecting to SQL Server for PowerBuilder and InfoMaker applications...."

We use PowerBuilder 2022 to maintain a custom desktop application. The DB is SQL 2022. The connection string is as follows:

DBMS=ADO.NET
...
ServerName=atlas
...
DBParm=Namespace='System.Data.OleDb',DataSource='atlas',DisableBind=1,DelimitIdentifier='NO',NCharBind=1,trimspaces=1,CommandTimeout=3600,TrustedConnection=0,Provider='SQLOLEDB'"

Microsofts article states that vulnerability refers to System.Data.SqlClient.

Under "ADO Microsoft ADO.NET" section of installed Database Interfaces we have both System.Data.SqlClient and System.Data.OleDb options, but we use the latter with Provider='SQLOLEDB' .

Is the above safe, or should we change the way our clients connect to SQL (which means a lot of testing and deploying effort)?

Responses (1)

Chris Pollach @Appeon Accepted Answer Pending Moderation

Wednesday, 14 February 2024 16:10 PM UTC
PowerBuilder
# 1

Hi D;

You will also note in that bulletin a link over to Microsoft. In the MS description it gives you more details as to exactly which ADO build numbers are affected. So you need to check your ADO driver version with that MS list to see if you are actually affected. Just changing the MS ADO client driver version might be all you need to do.

However for the long term, Microsoft has switched directions for SS connectivity altogether. They are now only using the new MSOOLDBSQL DB client driver in recent years and will be focusing on this client only going forward. In your PB 2022 Rx Apps, you can switch over to that newer SS DB Client driver by using the following ...

SQLCA.DBMS = "MSO"

Food for thought. HTH

Regards ... Chris

Comment

There are no comments made yet.

Page :
1

There are no replies made for this question yet.
However, you are not allowed to reply to this question.

Please login to post a reply

You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here. Register Here »

Forgot Password?

We use cookies which are necessary for the proper functioning of our websites. We also use cookies to analyze our traffic, improve your experience and provide social media features. If you continue to use this site, you consent to our use of cookies.