Vulnerability on log4j: C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\Windows show log4j file in the system.

Question

Vulnerability on log4j: C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\Windows show log4j file in the system.

Moya Cardenas, Jonathan 25

Hi

i m using MS sql 2017 in my organization recently we scan the system with the Tenable scanner and we found some of the vulnerable file in sql on log4j.
those are "Apache Log4j 1.x Multiple Vulnerabilities" and "Apache Log4j SEoL (<= 1.x)"

that's because this .jar appear in one folder

Source: Manifest Vendor: Unknown, Manifest Version: Unknown, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\cloudera5_polybase.jar

log4j 1.2.17

Source: Manifest Vendor: Unknown, Manifest Version: Unknown, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\cloudera_polybase.jar

log4j 1.2.17

Source: Manifest Vendor: Unknown, Manifest Version: Unknown, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\hortonworks2_2_polybase.jar

log4j 1.2.17

Source: Manifest Vendor: Unknown, Manifest Version: Unknown, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\hortonworks2_polybase.jar

log4j 1.2.17

Source: Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.17, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\polybase.jar!log4j-1.2.17.jar

log4j 1.2.17

Source: Manifest Vendor: Unknown, Manifest Version: Unknown, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\polybase.jar

log4j 1.2.17

Source: Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.17, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\Windows\log4j-1.2.17.jar
log4j 1.2.17

How can we address this vulnerability?

Thank you!

Jonathan

Anonymous

2023-10-23T05:30:20.18+00:00

Hi @Moya Cardenas, Jonathan

Did the answer help you? If the answer is useful, please click Accept Answer to let others with similar questions quickly find answers. If you have any questions, please feel free to let me know.

Best regards,

Aniya
Moya Cardenas, Jonathan 25 Reputation points

2023-10-24T15:16:52.65+00:00

Hi @Anonymous

These are the jar files that are generating the log4j vulnerability, the scanner indicates that the solution is to upgrade the Apache version to a supported one, but I don't know how to do it to these files, and the Apache page does not indicate how to upgrade them.
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2023-10-24T20:56:18.6633333+00:00

What does "SELECT @@version" report?

Moya Cardenas, Jonathan 25

Hi @Erland Sommarskog

The version reported is 1.2.17

Path              : G:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\Polybase\Hadoop\cloudera5_polybase.jar
  Installed version : 1.2.17



  Path              : G:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\Polybase\Hadoop\cloudera_polybase.jar
  Installed version : 1.2.17



  Path              : G:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\Polybase\Hadoop\hortonworks2_2_polybase.jar
  Installed version : 1.2.17



  Path              : G:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\Polybase\Hadoop\hortonworks2_polybase.jar
  Installed version : 1.2.17



  Path              : G:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\Polybase\Hadoop\polybase.jar
  Installed version : 1.2.17

Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2023-10-25T20:58:50.61+00:00

No, that was not I was asking for. I was asking for the output of the query "SELECT @@version". That is, I want to know exactly which build of SQL 2017 you have.

Accepted answer

0 additional answers

Your answer

Anonymous

2023-10-23T05:30:20.18+00:00

Hi @Moya Cardenas, Jonathan

Did the answer help you? If the answer is useful, please click Accept Answer to let others with similar questions quickly find answers. If you have any questions, please feel free to let me know.

Best regards,

Aniya
Moya Cardenas, Jonathan 25 Reputation points

2023-10-24T15:16:52.65+00:00

Hi @Anonymous

These are the jar files that are generating the log4j vulnerability, the scanner indicates that the solution is to upgrade the Apache version to a supported one, but I don't know how to do it to these files, and the Apache page does not indicate how to upgrade them.
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2023-10-24T20:56:18.6633333+00:00

What does "SELECT @@version" report?
Moya Cardenas, Jonathan 25 Reputation points

2023-10-25T19:08:28.5366667+00:00

Hi @Erland Sommarskog

The version reported is 1.2.17

Path : G:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\Polybase\Hadoop\cloudera5_polybase.jar Installed version : 1.2.17 Path : G:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\Polybase\Hadoop\cloudera_polybase.jar Installed version : 1.2.17 Path : G:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\Polybase\Hadoop\hortonworks2_2_polybase.jar Installed version : 1.2.17 Path : G:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\Polybase\Hadoop\hortonworks2_polybase.jar Installed version : 1.2.17 Path : G:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\Polybase\Hadoop\polybase.jar Installed version : 1.2.17
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2023-10-25T20:58:50.61+00:00

No, that was not I was asking for. I was asking for the output of the query "SELECT @@version". That is, I want to know exactly which build of SQL 2017 you have.

Answer 1

Anonymous

Hi @Moya Cardenas, Jonathan

According to my searches, on August 5, 2015, the Log Service Project Management Board announced that Log4j 1.x was end of life. Since Log4j 1 is no longer maintained, none of the issues listed will be resolved. Users are urged to upgrade to Log4j 2.

You can get more information on this site:

https://logging.apache.org/log4j/1.x/

https://logging.apache.org/log4j/2.x/

Microsoft has released a response to CVE-2021-44228 Apache Log4j 2, maybe you can use it as a reference.

https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

https://msrc.microsoft.com/blog/2021/12/microsofts-response-to-cve-2021-44228-apache-log4j2/

If the answer is helpful, please click Accept Answer and Up-Vote for the same. If you have any questions, please feel free to let me know.

Best regards,

Aniya

Moya Cardenas, Jonathan 25 Reputation points

2023-10-24T15:17:13.79+00:00

Hi @AniyaTang-MSFT

These are the jar files that are generating the log4j vulnerability, the scanner indicates that the solution is to upgrade the Apache version to a supported one, but I don't know how to do it to these files, and the Apache page does not indicate how to upgrade them.
Anonymous

2023-10-25T01:40:18.7633333+00:00

Hi @Moya Cardenas, Jonathan

I found a solution for you to migrate Log4j 1.x files to Log4j 2.x by Apache: https://logging.apache.org/log4j/2.x/manual/migration.html.

For more detailed questions, I suggest you go to Apache related platforms for help.

If the answer is helpful, please click Accept Answer and Up-Vote for the same. If you have any questions, please feel free to let me know.

Best regards,

Aniya

Share via

Vulnerability on log4j: C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\Windows show log4j file in the system.

0 additional answers

Your answer