cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Security Issue with log4j ?

Carsten2021
Copper Contributor

‎Dec 14 2021 12:37 PM

‎Dec 14 2021 12:37 PM

Security Issue with log4j ?

Hello,

we found the log4j.jar files in an Microsoft SQL folder.

Most likely those files are only used when you use an ODBJC connector? 

Am I right?

 

By default those Java files are no problem anyway, whenever Javascript is not installed on the SQL server, correct?

(I could not find anything about it on the microsoft SQL website)

Thanks for your thoughts.

 

Directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/24/2019 4:21 PM 489884 log4j-1.2.17.jar
-a---- 9/24/2019 4:21 PM 8869 slf4j-log4j12-1.7.5.jar

45.7K Views
0 Likes
8 Replies
Reply
8 Replies
olafhelper

‎Dec 14 2021 11:02 PM

‎Dec 14 2021 11:02 PM

Re: Security Issue with log4j ?

@Carsten2021 , MS SQL Server do not install nor utilize any Java components.

Is it possible, that you have installed a third-party product as extension for SSIS?

0 Likes
Reply
best response confirmed by Carsten2021 (Copper Contributor)
ccparkhill

‎Dec 15 2021 12:42 AM

‎Dec 15 2021 12:42 AM

Solution

Re: Security Issue with log4j ?

SQL Server does install log4j, more info here:
https://docs.microsoft.com/en-us/answers/questions/662469/log4j-vulnerability-concerns.html
0 Likes
Reply
Carsten2021

‎Dec 15 2021 01:08 AM

‎Dec 15 2021 01:08 AM

Re: Security Issue with log4j ?

There is a software installed, but no Java. I guess it came with SQL Express ...
0 Likes
Reply
UjwalaV

‎Dec 15 2021 04:30 AM

‎Dec 15 2021 04:30 AM

Re: Security Issue with log4j ?

Will there be any impact if we delete log4j from below directory
Directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars
Is there any way to restore it back (after deleting) and upgrade the log4j version?
0 Likes
Reply
ccparkhill

‎Dec 15 2021 12:48 PM

‎Dec 15 2021 12:48 PM

Re: Security Issue with log4j ?

@UjwalaV I suppose you could move the file to a different folder and restart SQL Server and see if there's an impact, if there is just move it back and restart again. I'm not sure if you can upgrade it as I presume SQL Server is expecting the version it ships with. Hopefully MS issue a response soon.

0 Likes
Reply
UjwalaV

‎Dec 15 2021 08:19 PM

‎Dec 15 2021 08:19 PM

Re: Security Issue with log4j ?

Thanks @ccparkhill

I have already deleted  the log4j file as a quick action on the vulnerability. :( I had restarted server as well and tested all SSIS packages hosted on it. It was smooth execution. I am wondering if removal of of log4j will have any impact on other areas like, performance or.. ? 

Is there any way we can install the higher version of the log4j in the server again? If yes, how it should be? 

Thanks

0 Likes
Reply
Tom_Butler

‎Feb 23 2022 02:34 PM

‎Feb 23 2022 02:34 PM

Re: Security Issue with log4j ?

@ccparkhill 

 

Thanks, this one will be a big help in explaining the findings to our security team.

0 Likes
Reply
SABBIR_RUBAYAT

‎Sep 19 2023 10:49 PM

‎Sep 19 2023 10:49 PM

Re: Security Issue with log4j ?

When you install SQL Server then it also installs log4j
3 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Carsten2021 (Copper Contributor)
ccparkhill

‎Dec 15 2021 12:42 AM

‎Dec 15 2021 12:42 AM

Solution

Re: Security Issue with log4j ?

SQL Server does install log4j, more info here:
https://docs.microsoft.com/en-us/answers/questions/662469/log4j-vulnerability-concerns.html

View solution in original post

0 Likes
Reply