Forum Discussion

Carsten2021's avatar
Carsten2021
Copper Contributor
Dec 14, 2021
Solved

Security Issue with log4j ?

Hello,

we found the log4j.jar files in an Microsoft SQL folder.

Most likely those files are only used when you use an ODBJC connector? 

Am I right?

 

By default those Java files are no problem anyway, whenever Javascript is not installed on the SQL server, correct?

(I could not find anything about it on the microsoft SQL website)

Thanks for your thoughts.

 

Directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/24/2019 4:21 PM 489884 log4j-1.2.17.jar
-a---- 9/24/2019 4:21 PM 8869 slf4j-log4j12-1.7.5.jar

  • SQL Server does install log4j, more info here:
    https://docs.microsoft.com/en-us/answers/questions/662469/log4j-vulnerability-concerns.html

8 Replies

  • olafhelper's avatar
    olafhelper
    Bronze Contributor

    Carsten2021 , MS SQL Server do not install nor utilize any Java components.

    Is it possible, that you have installed a third-party product as extension for SSIS?

    • Carsten2021's avatar
      Carsten2021
      Copper Contributor
      There is a software installed, but no Java. I guess it came with SQL Express ...
    • ccparkhill's avatar
      ccparkhill
      Copper Contributor
      SQL Server does install log4j, more info here:
      https://docs.microsoft.com/en-us/answers/questions/662469/log4j-vulnerability-concerns.html
      • Tom_Butler's avatar
        Tom_Butler
        Copper Contributor

        ccparkhill 

         

        Thanks, this one will be a big help in explaining the findings to our security team.

Resources