Security Vulnerability fix for CVE-2018-8269? ('Microsoft.Data.OData' Denial of Service Vulnerability)

Question

Sage 50 appears to be using an older version of microsoft.data.odata.dll in it's latest release (2022.2), which makes it vulnerable to a Denial of Service attack. 
 Is there any plan for an upgrade to v5.8.4 or higher? 
 Location: c:\program files (x86)\sage 50 premium accounting version 2022\sageoverdrive\connectivityadapters\graphexcelapi\ 
 Reference: msrc.microsoft.com/.../CVE-2018-8269

KathleenF · Accepted Answer

Thank you for bringing this potential vulnerability to our attention. Upon review by our product development and security engineers of the information available about the vulnerability and how it might be exploited, we are confident that there is no risk that is posed to our customers caused by the presence of this DLL. 
 As Sage 50 is desktop software typically used in local area networks or standalone environments, and not a web application run by internet-connected servers, there is no exposure to a DOS (Denial of Service) attack. 
 The file is loaded dynamically at run time for a specific purpose but it is not called from a web application. Sage 50 is not a web application and is not typically installed nor used on any server running web applications accessible over the internet. 
 The file is used only when connecting to Microsoft 365 to synchronize data to the cloud. If a customer is not using this service, the file can be safely deleted from their local machine without any impact on the software.

Sage 50 Canada

Security Vulnerability fix for CVE-2018-8269? ('Microsoft.Data.OData' Denial of Service Vulnerability)

Top Replies

COMMUNITY

COMPANY

PARTNERS

SUPPORT & TRAINING