question

SolomonChakaravarthySunil-9428 avatar image
0 Votes"
SolomonChakaravarthySunil-9428 asked DariuszGolonko-4252 commented

Apache Log4j Vulnerability - Microsoft SQL Server 2012 Standard SPSQL 2012 SP4 + Security Update (11.0.7507.2)

We are running the below versions of OS.
"Microsoft SQL Server 2012 Standard SPSQL 2012 SP4 + Security Update (11.0.7507.2)"
"Windows Server 2012, x64 Datacenter Edition Version: 6.2.9200 + July 13, 2021 Rollup Patch"

May i please check if Apache Log4J impacts the above-mentioned OS and if so, may i check if there are any workarounds or patches?

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered Crypt32 edited

Neither of Microsoft products use Log4J, thus they are not vulnerable to recent CVE-2021-44228 vulnerability.

See this thread for more details: https://docs.microsoft.com/answers/questions/662469/log4j-vulnerability-concerns.html

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrilleBollu-1546 avatar image
0 Votes"
CyrilleBollu-1546 answered SoonerMedic72-6722 commented

Just ran a search on a Windows server running Microsoft SQL 2019 and found a log4j jar in "C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars"

So, not so black & white

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

These are connectors. SQL does not use them by default. You have to install Java runtime and get an application that would use this connector. Without all that, these are just non-executable flat files.

1 Vote 1 ·

Is it something to worry about, and if so should it be patched somehow?

1 Vote 1 ·

Thanks for the explanation.

In the meantime, I've confirmed this jar doesn't use the JndiLookup class (findstr /s /i /c:"JndiLookup.class" C:*.jar). So, I should be safe anyway.

0 Votes 0 ·

This is only for the default config that it is not vulnerable to that specific CVE. There are several CVE's for log4j 1.x. ( https://nvd.nist.gov/vuln/detail/CVE-2021-4104 ) CVE-2021-4104 shows that it is vulnerable when the JMSAppender is configured.

The official Apache site ( https://logging.apache.org/log4j/1.2/ ) has this one from 2019 listed (CVE-2019-17571) and states that users are urged to upgrade as the issue will not be fixed. It hasn't been supported since 2015, there is no reasonable explanation for why Microsoft is placing it in SQL Express 2019 unless they want to pick up support for it. This is like throwing Flash on Windows 12 in 2025.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SatyenShah-2791 avatar image
0 Votes"
SatyenShah-2791 answered DariuszGolonko-4252 commented

Does anyone know which SQL2019 features/connectors/drivers can be disabled/uninstalled to remove the log4j files to suppress detections?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have one server with DBE only installed and log4j files are still there so I guess the only way is to delete the log4j files.

0 Votes 0 ·