December 14, 2021 at 11:38 pm
The following file exists in C:\Program Files (x86)\Microsoft SQL Server\150\DTS\Extensions\Common\Jars
log4j-1.2.17.jar
I'm sure this isn't a concern just wondering if anyone knows of anything official from Microsoft regarding any SQL log4j vulnerability.
There's no info I could find other than this post which claims there's no issue.
https://docs.microsoft.com/en-us/answers/questions/662469/log4j-vulnerability-concerns.html
December 15, 2021 at 8:43 am
Hi,
try this link, maybe there are some usefull information for you:
https://docs.microsoft.com/en-us/answers/questions/662469/log4j-vulnerability-concerns.html
Kind regards,
Andreas
PS: sorry, I should read your topic until the end, there is the same link like in my answer.
December 15, 2021 at 12:41 pm
Statement at the moment is that product group are looking into the vulnerability.
The most up to date information can be found at
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2
Please note the vulnerability was found in v2 to v2.14.1 of the package, there have been no reports of the vulnerability in other versions of log4j
December 29, 2021 at 8:16 pm
I'm trying to find information about this myself. Can we just rename this file without breaking anything? Why is this file present in the DTS folder? The articles MS has provided so far are pretty limited for SQL Server. 🙁
December 29, 2021 at 9:04 pm
I zipped the Jars directory and then deleted the Jars folder. This way they are still there just not accessible. I've already done this on all our production 2019 instances without any issues.
I'm not sure why it's in the DTS folder but you'll also find it in VS I think.
It was added as an extension probably having to do with Spark.
You'll also see it here under big data clusters...
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-44228
December 31, 2021 at 8:54 am
Hmmm....
Correct me if i'm wrong; if JAVA is not installed on that SQL server, there should be no environment to load the log4j.jar into?
In that case the sql server should be ok, right?
December 31, 2021 at 3:40 pm
I have a Java Specialist certification, but can't say I've actually ever done any Java or remember much of it...
But yeah you're correct, you need the Java Runtime Environment to actually run any of this stuff or installed something that would have included it.
If you're doing anything with big data I would certainly be looking very closely at it, outside of that the only other thing I know of would be custom Java development that might have used those libraries. Like I said I zipped the Jars folder just to ensure they wouldn't be accessible.
April 19, 2022 at 8:49 pm
SQL 2019 CU16 removes the Log4J files
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply