SOLVED

Security Issue with log4j ?

New Contributor

Hello,

we found the log4j.jar files in an Microsoft SQL folder.

Most likely those files are only used when you use an ODBJC connector? 

Am I right?

 

By default those Java files are no problem anyway, whenever Javascript is not installed on the SQL server, correct?

(I could not find anything about it on the microsoft SQL website)

Thanks for your thoughts.

 

Directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/24/2019 4:21 PM 489884 log4j-1.2.17.jar
-a---- 9/24/2019 4:21 PM 8869 slf4j-log4j12-1.7.5.jar

6 Replies

@Carsten2021 , MS SQL Server do not install nor utilize any Java components.

Is it possible, that you have installed a third-party product as extension for SSIS?

best response confirmed by Carsten2021 (New Contributor)
There is a software installed, but no Java. I guess it came with SQL Express ...
Will there be any impact if we delete log4j from below directory
Directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars
Is there any way to restore it back (after deleting) and upgrade the log4j version?

@UjwalaV I suppose you could move the file to a different folder and restart SQL Server and see if there's an impact, if there is just move it back and restart again. I'm not sure if you can upgrade it as I presume SQL Server is expecting the version it ships with. Hopefully MS issue a response soon.

Thanks @ccparkhill

I have already deleted  the log4j file as a quick action on the vulnerability. :( I had restarted server as well and tested all SSIS packages hosted on it. It was smooth execution. I am wondering if removal of of log4j will have any impact on other areas like, performance or.. ? 

Is there any way we can install the higher version of the log4j in the server again? If yes, how it should be? 

Thanks