Neither of Microsoft products use Log4J, thus they are not vulnerable to recent CVE-2021-44228 vulnerability.
See this thread for more details: https://learn.microsoft.com/answers/questions/662469/log4j-vulnerability-concerns.html
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We are running the below versions of OS.
"Microsoft SQL Server 2012 Standard SPSQL 2012 SP4 + Security Update (11.0.7507.2)"
"Windows Server 2012, x64 Datacenter Edition Version: 6.2.9200 + July 13, 2021 Rollup Patch"
May i please check if Apache Log4J impacts the above-mentioned OS and if so, may i check if there are any workarounds or patches?
Neither of Microsoft products use Log4J, thus they are not vulnerable to recent CVE-2021-44228 vulnerability.
See this thread for more details: https://learn.microsoft.com/answers/questions/662469/log4j-vulnerability-concerns.html
Just ran a search on a Windows server running Microsoft SQL 2019 and found a log4j jar in "C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars"
So, not so black & white
Hi @Solomon, Chakaravarthy Sunil
You can find Microsoft official guide and statements here:
Hope this helps with your query,
--If the reply is helpful, please Upvote and Accept as answer--
Does anyone know which SQL2019 features/connectors/drivers can be disabled/uninstalled to remove the log4j files to suppress detections?
We run many MS SQL Server installations and the results i get from various scanners are the same. The .jar files are present on our systems.
I can understand that the use of these .jar files in an application makes the system vulnerable.
What i do not know is wether the presense of those files is also a vulnerability. Would it be possible for a malware to utilize these files even if they are not currently used?
What would be the best mitigation ? Delete the files from the system?