Microsoft have announced a vulnerability in the Kestrel web server that's used by SQL Monitor from 12.0.0 to 13.0.20. The vulnerability can be exploited to carry out a Denial of Service attack on the SQL Monitor Web Service. This vulnerability only affects installations that use the built-in web server provided by SQL Monitor. Installations that use IIS instead are unaffected.
SQL Monitor version 13.0.21 fixes this vulnerability.
The SQL Monitor Web Service could be subject to a Denial of Service attack by an unauthenticated user with network access to the Web Service. Only the availability of the Web Service would be affected. The attack would not compromise the confidentiality or integrity of any information held by SQL Monitor.
SQL Monitor release 13.0.21 includes a full fix for the issue described in this notice. We recommend you upgrade to the latest release as soon as possible.
If you cannot update SQL Monitor, using a reverse proxy or Web Application Firewall in front of the SQL Monitor Web Service for any client requests originating from untrusted networks may mitigate this issue. Using IIS to host the SQL Monitor Web Service instead of the built-in web server will also address the issue.
The initial vulnerability in the Kestrel web server was announced by Microsoft on 8th August 2023. The vulnerability was added to CISA's Known Exploited Vulnerabilities Catalog on 9th August 2023. Redgate has seen no evidence of this vulnerability being exploited in the wild in SQL Monitor.
All our product teams receive training in secure development practices, and we peer review all code changes. We use extensive suites of automated checks.
Unfortunately, vulnerabilities do occasionally occur. We aim to fix and announce them promptly when we discover them, and provide information on our website when this happens. You can find out more in our product security policy.
