I have a vulnerability scanner that has flagged a specific log4j file on my deployed instance of SQL 2019 as being out of date - it's log4j-1.2.17.jar 1.2.17, and there's an update called 2.17 but there's no installer for it - just random files. The developer's site only seems to have guidance on how to do integrations for developers, not on already deployed applications. Has Microsoft released guidance on how to update Apache / Log4j on MS SQL 2019 instances?

Hi ME-6236,

In addition, Microsoft is currently evaluating the presence of older versions of log4j shipped with some of the product components. While these files are not impacted by the vulnerabilities in CVE-2021-44228 or CVE-2021-4104, the respective engineering teams are assessing their use of these files to determine their long-term plans to address the end of life for Log4J 1.2.

Best Regards,
Amelia

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

@AmeliaGu-MSFT is there any update to Log4j 1.2 removal/update in SQL Server 2019 installations?

If you don't have the source code of a project and just want to fix the log4j 1.x vulnerabilities you can use reload4j project. It allows to replace the file log4j-1.2.17.jar by the reload4j jar file without other changes.

The reload4j project is a fork of Apache log4j version 1.2.17 in order to fix most pressing security issues. It is intended as a drop-in replacement for log4j version 1.2.17. By drop-in, we mean the replacement of log4j.jar with reload4j.jar in your build without needing to make changes to source code, i.e. to your java files.

Microsoft released CU16 that includes this log4j resolution.

14669019

Removes log4j2 used by SQL Server 2019 Integration Services (SSIS) to avoid any potential security issues.

you need to apply this:
https://support.microsoft.com/en-us/topic/kb5011644-cumulative-update-16-for-sql-server-2019-74377be1-4340-4445-93a7-ff843d346896

See:
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/#SQL-Server-on-windows-all-ed

Hi,

I have a vulnerability scanner that has flagged a specific log4j file on my deployed instance of SQL 2019 as being out of date

This is a know issue. It is recommended to get more information from the apache site first:

https://logging.apache.org/log4j/2.x/

Has Microsoft released guidance on how to update Apache / Log4j on MS SQL 2019 instances?

Yes. Microsoft release information on the issue but update the Log4j is not related to Microsoft directly but to Apache.

I highly recommend you to go over the following Microsoft documents regarding the issue

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/