This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 84%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hi All,
I am using Microsoft Sql Server 2019 express edition which has a reference to log4j-1.2.17.jar in my .Net web app.
will this be having any impact? Does Microsoft release any security patch updates or sql server updates to mitigate this vulnerability ?
Hi @P, Manjunatha ,
The versions affected are from 2.0-beta9 to 2.14.1, lower versions such as the one you've posted in the screenshot are not vulnerable to the Log4J "Log4Shell" Zero-Day Vulnerability but is still recommended to be updated to the latest version.
SQL Server in itself is not vulnerable, unless you have extensions that make use of the Log4j.
For more information see:
----------
If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!
Best regards,
Leon
I would add that no Microsoft products ship Log4J. Only custom applications (mostly, Java-based) may ship them. As the result, Microsoft won't provide patches because they don't own Log4J nor use it in their applications.
Please install Microsoft SQL Server 2019 and follow the screenshot path, it will list the set of jar in the installation folder.
These are JDBC drivers only. Microsoft does not ship Java runtime, thus these jar files cannot be activated.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 80%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBR%3C/text%3E%3C/svg%3E)
Tenable (if anyone else uses Nessus as their vulnerability scanner) has recently decided fresh off the log4j zero day that all versions of log4j, including 1.2.17 as shown in the user's screenshot here, are now CRITICAL level vulnerabilities. https://www.tenable.com/plugins/nessus/156032
-Brent
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 89%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELG%3C/text%3E%3C/svg%3E)
So essentially, to evade or resolve a Tenable / vulnerability scan for Log4j if we're not using Java on that server is that we can just remove the JAR file from the machine with no ill effects since Microsoft is not using it? Seems like a simple solution to a complex problem.