Dec 14 2021 12:37 PM
Hello,
we found the log4j.jar files in an Microsoft SQL folder.
Most likely those files are only used when you use an ODBJC connector?
Am I right?
By default those Java files are no problem anyway, whenever Javascript is not installed on the SQL server, correct?
(I could not find anything about it on the microsoft SQL website)
Thanks for your thoughts.
Directory: C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/24/2019 4:21 PM 489884 log4j-1.2.17.jar
-a---- 9/24/2019 4:21 PM 8869 slf4j-log4j12-1.7.5.jar
Dec 14 2021 11:02 PM
@Carsten2021 , MS SQL Server do not install nor utilize any Java components.
Is it possible, that you have installed a third-party product as extension for SSIS?
Dec 15 2021 12:42 AM
SolutionDec 15 2021 01:08 AM
Dec 15 2021 04:30 AM
Dec 15 2021 12:48 PM
@UjwalaV I suppose you could move the file to a different folder and restart SQL Server and see if there's an impact, if there is just move it back and restart again. I'm not sure if you can upgrade it as I presume SQL Server is expecting the version it ships with. Hopefully MS issue a response soon.
Dec 15 2021 08:19 PM
Thanks @ccparkhill
I have already deleted the log4j file as a quick action on the vulnerability. :( I had restarted server as well and tested all SSIS packages hosted on it. It was smooth execution. I am wondering if removal of of log4j will have any impact on other areas like, performance or.. ?
Is there any way we can install the higher version of the log4j in the server again? If yes, how it should be?
Thanks
Feb 23 2022 02:34 PM
Sep 19 2023 10:49 PM
Dec 15 2021 12:42 AM
Solution