We are running the below versions of OS.
"Microsoft SQL Server 2012 Standard SPSQL 2012 SP4 + Security Update (11.0.7507.2)"
"Windows Server 2012, x64 Datacenter Edition Version: 6.2.9200 + July 13, 2021 Rollup Patch"
May i please check if Apache Log4J impacts the above-mentioned OS and if so, may i check if there are any workarounds or patches?
Neither of Microsoft products use Log4J, thus they are not vulnerable to recent CVE-2021-44228 vulnerability.
See this thread for more details: https://docs.microsoft.com/answers/questions/662469/log4j-vulnerability-concerns.html
Just ran a search on a Windows server running Microsoft SQL 2019 and found a log4j jar in "C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars"
So, not so black & white
These are connectors. SQL does not use them by default. You have to install Java runtime and get an application that would use this connector. Without all that, these are just non-executable flat files.
Is it something to worry about, and if so should it be patched somehow?
Thanks for the explanation.
In the meantime, I've confirmed this jar doesn't use the JndiLookup class (findstr /s /i /c:"JndiLookup.class" C:*.jar). So, I should be safe anyway.
This is only for the default config that it is not vulnerable to that specific CVE. There are several CVE's for log4j 1.x. ( https://nvd.nist.gov/vuln/detail/CVE-2021-4104 ) CVE-2021-4104 shows that it is vulnerable when the JMSAppender is configured.
The official Apache site ( https://logging.apache.org/log4j/1.2/ ) has this one from 2019 listed (CVE-2019-17571) and states that users are urged to upgrade as the issue will not be fixed. It hasn't been supported since 2015, there is no reasonable explanation for why Microsoft is placing it in SQL Express 2019 unless they want to pick up support for it. This is like throwing Flash on Windows 12 in 2025.
Hi @SolomonChakaravarthySunil-9428
You can find Microsoft official guide and statements here:
Hope this helps with your query,
--If the reply is helpful, please Upvote and Accept as answer--
Does anyone know which SQL2019 features/connectors/drivers can be disabled/uninstalled to remove the log4j files to suppress detections?
I have one server with DBE only installed and log4j files are still there so I guess the only way is to delete the log4j files.
We run many MS SQL Server installations and the results i get from various scanners are the same. The .jar files are present on our systems.
I can understand that the use of these .jar files in an application makes the system vulnerable.
What i do not know is wether the presense of those files is also a vulnerability. Would it be possible for a malware to utilize these files even if they are not currently used?
What would be the best mitigation ? Delete the files from the system?
12 people are following this question.
