Return
-
Title
DBSS CLR Security alarms fire for user defined assemblies -
Description
Redundant CLR security alarms fire for system CLR assemblies -
Cause
The collection retrieves data system and user defined assemblies.
-
Resolution
WORKAROUND
None
STATUS
Defect ID FOG-7316 has been logged to filter the collection to only retrieve user defined CLR assemblies. This has been fixed in the 7.2.1.10 and higher releases of the SQL Server cartridge. -
Defect ID
FOG-7316 -
Additional Information
According to Microsoft, this might explain why it is is firing for SQL Server, "CLR uses Code Access Security (CAS) in the .NET Framework is no longer supported as a security boundary. A CLR assembly created with PERMISSION_SET = SAFE may be able to access external system resources, call unmanaged code, and acquire sysadmin privileges. Beginning with SQL Server 2017 (14.x), an sp_configure option called CLR strict security is introduced to enhance the security of CLR assemblies. CLR strict security is enabled by default, and treats SAFE and EXTERNAL_ACCESS assemblies as if they were marked UNSAFE. The CLR strict security option can be disabled for backward compatibility, but this is not recommended"