SQL Server Vulnerability VA2129 - Changes to signed modules should be authorized (msdb)

Question

Standing up default VM's hosting SQL Server in Azure, working through Azure Security Center recommendations. We're getting Azure Security Center recommendations with High severity on 255 objects that are created in the msdb database when the server is deployed.

VA2129 - Changes to signed modules should be authorized

All of the modules returned are in MSDB, all signed with ##MS_AgentSigningCertificate##.

I am getting the same issue regardless of SQL or OS version:

• SQL 2014 Developer Edition on Windows Server 2012 R2 (244 modules)
• SQL 2017 Developer Edition on Windows Server 2016 (255 modules)
• SQL 2019 Developer Edition on Windows 2019 (255 modules)

Is this a bug in Security Center, maybe an issue with Developer Edition, or some other issue? It seems like a bug, but wanted to verify before we baseline this as a known issue.

Here are the msdb modules throwing this issue:
[dbo].[sp_help_jobhistory_summary]
[dbo].[sysmail_help_profileaccount_sp]
[dbo].[sp_help_jobhistory]
[dbo].[sysmail_configure_sp]
[dbo].[sp_add_jobserver]
[dbo].[sysmail_help_configure_sp]
[dbo].[sp_delete_jobserver]
[dbo].[sysmail_help_configure_value_sp]
[dbo].[sp_help_jobserver]
[dbo].[sysmail_add_principalprofile_sp]
[dbo].[sp_help_downloadlist]
[dbo].[sysmail_update_principalprofile_sp]
[dbo].[sp_enum_sqlagent_subsystems_internal]
[dbo].[sysmail_delete_principalprofile_sp]
[dbo].[sp_enum_sqlagent_subsystems]
[dbo].[sysmail_help_principalprofile_sp]
[dbo].[sp_verify_subsystem]
[dbo].[sysmail_logmailevent_sp]
[dbo].[sp_verify_schedule]
[dbo].[sysmail_start_sp]
[dbo].[sp_add_schedule]
[dbo].[sysmail_stop_sp]
[dbo].[sp_attach_schedule]
[dbo].[sysmail_help_status_sp]
[dbo].[sp_detach_schedule]
[dbo].[sysmail_help_queue_sp]
[dbo].[sp_update_replication_job_parameter]
[dbo].[sp_SendMailMessage]
[dbo].[sp_update_schedule]
[dbo].[sp_isprohibited]
[dbo].[sp_delete_schedule]
[dbo].[sp_SendMailQueues]
[dbo].[sp_get_jobstep_db_username]
[dbo].[sp_ProcessResponse]
[dbo].[sp_verify_jobstep]
[dbo].[sp_MailItemResultSets]
[dbo].[sp_add_jobstep_internal]
[dbo].[sp_process_DialogTimer]
[dbo].[sp_add_jobstep]
[dbo].[sp_readrequest]
[dbo].[sp_update_jobstep]
[dbo].[sp_GetAttachmentData]
[dbo].[sp_delete_jobstep]
[dbo].[sp_RunMailQuery]
[dbo].[sp_help_jobstep]
[dbo].[sp_validate_user]
[dbo].[sp_write_sysjobstep_log]
[dbo].[sp_send_dbmail]
[dbo].[sp_help_jobsteplog]
[dbo].[sp_ExternalMailQueueListener]
[dbo].[sp_delete_jobsteplog]
[dbo].[sp_sysmail_activate]
[dbo].[sp_get_schedule_description]
[dbo].[sp_add_jobschedule]
[dbo].[sp_update_jobschedule]
[dbo].[sp_delete_jobschedule]
[smart_admin].[sp_create_job]
[dbo].[sp_help_schedule]
[smart_admin].[sp_add_task_command]
[dbo].[sp_maintplan_delete_log]
[dbo].[sp_help_jobschedule]
[smart_admin].[sp_set_db_backup]
[dbo].[sp_maintplan_delete_subplan]
[dbo].[sp_verify_job]
[dbo].[sp_maintplan_update_subplan_tsx]
[dbo].[sp_add_job]
[dbo].[sp_maintplan_subplans_by_job]
[dbo].[sp_update_job]
[dbo].[sp_maintplan_open_logentry]
[dbo].[sp_delete_job]
[smart_admin].[sp_get_backup_diagnostics]
[dbo].[sp_maintplan_close_logentry]
[dbo].[sp_get_composite_job_info]
[dbo].[sp_maintplan_update_log]
[dbo].[sp_help_job]
[dbo].[sp_maintplan_update_subplan]
[dbo].[sp_help_jobcount]
[dbo].[sp_maintplan_delete_plan]
[dbo].[sp_help_jobs_in_schedule]
[dbo].[sp_maintplan_start]
[dbo].[sp_manage_jobs_by_login]
[dbo].[sp_clear_dbmaintplan_by_db]
[dbo].[sp_apply_job_to_targets]
[dbo].[sp_add_maintenance_plan]
[dbo].[sp_remove_job_from_targets]
[dbo].[sp_delete_maintenance_plan]
[dbo].[sp_get_job_alerts]
[dbo].[sp_add_maintenance_plan_db]
[dbo].[sp_start_job]
[dbo].[sp_delete_maintenance_plan_db]
[dbo].[sp_stop_job]
[dbo].[sp_add_maintenance_plan_job]
[dbo].[sp_cycle_agent_errorlog]
[dbo].[sp_delete_maintenance_plan_job]
[dbo].[sp_get_chunked_jobstep_params]
[dbo].[sp_help_maintenance_plan]
[dbo].[sp_check_for_owned_jobs]
[dbo].[sp_check_for_owned_jobsteps]
[dbo].[sp_sqlagent_refresh_job]
[dbo].[sp_jobhistory_row_limiter]
[dbo].[sp_add_log_shipping_monitor_jobs]
[dbo].[sp_add_log_shipping_primary]
[dbo].[sp_add_log_shipping_secondary]
[dbo].[sp_delete_log_shipping_monitor_jobs]
[dbo].[sp_delete_log_shipping_primary]
[dbo].[sp_delete_log_shipping_secondary]
[dbo].[sp_log_shipping_in_sync]
[dbo].[sp_log_shipping_get_date_from_file]
[dbo].[sp_sqlagent_log_jobhistory]
[dbo].[sp_get_log_shipping_monitor_info]
[dbo].[sp_sqlagent_check_msx_version]
[dbo].[sp_update_log_shipping_monitor_info]
[dbo].[sp_sqlagent_probe_msx]
[dbo].[sp_delete_log_shipping_monitor_info]
[dbo].[sp_set_local_time]
[dbo].[sp_remove_log_shipping_monitor_account]
[dbo].[sp_multi_server_job_summary]
[dbo].[sp_log_shipping_monitor_backup]
[dbo].[sp_target_server_summary]
[dbo].[sp_log_shipping_monitor_restore]
[dbo].[sp_uniquetaskname]
[dbo].[sp_change_monitor_role]
[dbo].[sp_addtask]
[dbo].[sp_sqlagent_is_srvrolemember]
[dbo].[sp_create_log_shipping_monitor_account]
[dbo].[sp_droptask]
[dbo].[trig_targetserver_insert]
[dbo].[sp_verify_category_identifiers]
[dbo].[sp_ssis_addlogentry]
[dbo].[sp_add_alert_internal]
[dbo].[sp_ssis_listpackages]
[dbo].[sp_add_alert]
[dbo].[sp_verify_proxy_identifiers]
[dbo].[sp_ssis_listfolders]
[dbo].[sp_delete_alert]
[dbo].[sp_verify_credential_identifiers]
[dbo].[sp_ssis_deletepackage]
[dbo].[sp_help_alert]
[dbo].[sp_verify_subsystems]
[dbo].[sp_ssis_deletefolder]
[dbo].[sp_verify_operator]
[dbo].[sp_verify_subsystem_identifiers]
[dbo].[sp_ssis_getpackage]
[dbo].[sp_add_operator]
[dbo].[sp_verify_login_identifiers]
[dbo].[sp_ssis_getfolder]
[dbo].[sp_update_operator]
[dbo].[sp_verify_proxy]
[dbo].[sp_ssis_putpackage]
[dbo].[sp_help_operator]
[dbo].[sp_add_proxy]
[dbo].[sp_help_operator_jobs]
[dbo].[sp_delete_proxy]
[dbo].[sp_ssis_addfolder]
[dbo].[sp_verify_operator_identifiers]
[dbo].[sp_update_proxy]
[dbo].[sp_ssis_renamefolder]
[dbo].[sp_notify_operator]
[dbo].[sp_sqlagent_is_member]
[dbo].[sp_ssis_setpackageroles]
[dbo].[sp_verify_notification]
[dbo].[sp_verify_proxy_permissions]
[dbo].[sp_ssis_getpackageroles]
[dbo].[sp_add_notification]
[dbo].[sp_help_proxy]
[dbo].[sp_update_notification]
[dbo].[sp_delete_notification]
[dbo].[sp_grant_proxy_to_subsystem]
[dbo].[sp_help_notification]
[dbo].[sp_grant_login_to_proxy]
[dbo].[sp_help_jobactivity]
[dbo].[sp_revoke_login_from_proxy]
[dbo].[sp_revoke_proxy_from_subsystem]
[dbo].[sp_enum_proxy_for_subsystem]
[dbo].[sp_sem_add_message]
[dbo].[sp_enum_login_for_proxy]
[dbo].[sp_sem_drop_message]
[dbo].[sp_get_message_description]
[dbo].[sp_sqlagent_get_startup_info]
[dbo].[sp_help_jobhistory_sem]
[dbo].[sp_convert_jobid_to_char]
[dbo].[sp_sqlagent_has_server_access]
[dbo].[sp_sqlagent_get_perf_counters]
[dbo].[sp_sqlagent_notify]
[dbo].[sp_is_sqlagent_starting]
[dbo].[sp_verify_job_identifiers]
[dbo].[sysmail_delete_mailitems_sp]
[dbo].[sp_verify_schedule_identifiers]
[dbo].[sp_verify_jobproc_caller]
[dbo].[sp_downloaded_row_limiter]
[dbo].[sp_post_msx_operation]
[dbo].[sp_verify_performance_condition]
[dbo].[sysmail_delete_log_sp]
[dbo].[sp_verify_job_date]
[dbo].[sp_verify_job_time]
[dbo].[sp_verify_alert]
[dbo].[sp_update_alert]
[dbo].[sp_delete_job_references]
[dbo].[sp_delete_all_msx_jobs]
[dbo].[sp_generate_target_server_job_assignment_sql]
[dbo].[sp_generate_server_description]
[dbo].[sp_msx_set_account]
[dbo].[sp_msx_get_account]
[dbo].[sp_delete_operator]
[dbo].[sp_msx_defect]
[dbo].[sp_msx_enlist]
[dbo].[sysmail_verify_accountparams_sp]
[dbo].[sp_delete_targetserver]
[dbo].[sp_enlist_tsx]
[dbo].[sysmail_verify_principal_sp]
[dbo].[sp_get_sqlagent_properties]
[dbo].[sysmail_verify_profile_sp]
[dbo].[sp_set_sqlagent_properties]
[dbo].[sysmail_verify_account_sp]
[dbo].[sp_add_targetservergroup]
[dbo].[sysmail_add_profile_sp]
[dbo].[sp_update_targetservergroup]
[dbo].[sysmail_update_profile_sp]
[dbo].[sp_delete_targetservergroup]
[dbo].[sysmail_delete_profile_sp]
[dbo].[sp_help_targetservergroup]
[dbo].[sysmail_help_profile_sp]
[dbo].[sp_add_targetsvrgrp_member]
[dbo].[sysmail_create_user_credential_sp]
[dbo].[sp_delete_targetsvrgrp_member]
[dbo].[sysmail_alter_user_credential_sp]
[dbo].[sp_verify_category]
[dbo].[sysmail_drop_user_credential_sp]
[dbo].[sp_add_category]
[dbo].[sysmail_add_account_sp]
[dbo].[sp_update_category]
[dbo].[sysmail_update_account_sp]
[dbo].[sp_delete_category]
[dbo].[sysmail_delete_account_sp]
[dbo].[sp_help_category]
[dbo].[sysmail_help_account_sp]
[dbo].[sp_help_targetserver]
[dbo].[sysmail_help_admin_account_sp]
[dbo].[sp_resync_targetserver]
[dbo].[sysmail_add_profileaccount_sp]
[dbo].[sp_purge_jobhistory]
[dbo].[sysmail_update_profileaccount_sp]
[dbo].[sp_help_jobhistory_full]
[dbo].[sysmail_delete_profileaccount_sp]

Answer 1

Any updates on this? We encountered same issue.

Answer 2

@Teng Daniel , I have an open support ticket with Microsoft Azure / SQL Server teams on this. Hoping to hear back from them soon. I will post their answer when I have a response.

Answer 3

@Stuart Cox Did you hear anything back on this yet? I am getting this on a few dbs, but all seem to be the same sps

Answer 4

After a few weeks and many back-and-forth emails with Azure and SQL support teams... I finally have an update. Basically Microsoft admitted it is a current issue / bug with the SQL vulnerability advisor in Azure. It's on the backlog. In the meantime, they recommend adding these errors as a baseline to clear them from your vulnerability list.

From Microsoft:
As per our conversation, I want to share with you that the rule VA2129 is a "baseline rule type" when the customer creates a new SQL server and enables VA on it all the results for this rule should be approved as a baseline (we have a plan to set an auto baseline).

By VA design show all the results and not have a whitelisting for MS signed objects.

Our product team is working on improving this rule to exclude MS signed objects.