A third-party researcher identified a Cloud SQL for SQL Server vulnerability, and the instance they triggered this vulnerability on was automatically detected by Google Cloud through a security alert. After the detection, Google Cloud contacted the researcher and the researcher reported the issue through theGoogle Cloud VRP program. Google Cloud resolved the issue by patching the security vulnerability by March 1, 2023. Google Cloud didn't find any compromised customer instances.

What should I do?

No further action is required for any customer.

Cloud SQL for SQL Server has been updated to fix this vulnerability and the fix was rolled out to all instances in March 2023. No action is required.

What vulnerabilities are being addressed?

The vulnerability allowed customer administrator accounts to create triggers in thetempdb database and use those to gainsysadmin privileges in the instance. Thesysadmin privileges would give the attacker access to system databases and partial access to the machine running that SQL Server instance.

Because the attack requires access to a customer administrator account, this vulnerability didn't expose any customer data that the attacker didn't already have access to. Moreover, this vulnerability didn't give the attacker any access to other Cloud SQL for SQL Server instances.

This issue was not a security incident and no data was compromised.