After deploying SQL Server 2018 in my organization, our IT deparment has detected that it is using logj v1.2.17 (C:\Program Files\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar). Specifically, they raise the following concern:
Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled. |
Is there any patch, procedure or guide on how to update that component? Alternatively, is there any jusitification on why an update wouldn't be needed?
Regards,
Julio
