logJ component vulnerability

Occasional Visitor

After deploying SQL Server 2018 in my organization, our IT deparment has detected that it is using logj v1.2.17 (C:\Program Files\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar). Specifically, they raise the following concern:

 

Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled.

 

Is there any patch, procedure or guide on how to update that component? Alternatively, is there any jusitification on why an update wouldn't be needed?

Regards,

Julio

0 Replies