We are running the below versions of OS.
"Microsoft SQL Server 2012 Standard SPSQL 2012 SP4 + Security Update (11.0.7507.2)"
"Windows Server 2012, x64 Datacenter Edition Version: 6.2.9200 + July 13, 2021 Rollup Patch"
May i please check if Apache Log4J impacts the above-mentioned OS and if so, may i check if there are any workarounds or patches?
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
These are connectors. SQL does not use them by default. You have to install Java runtime and get an application that would use this connector. Without all that, these are just non-executable flat files.
This is only for the default config that it is not vulnerable to that specific CVE. There are several CVE's for log4j 1.x. ( https://nvd.nist.gov/vuln/detail/CVE-2021-4104 ) CVE-2021-4104 shows that it is vulnerable when the JMSAppender is configured.
The official Apache site ( https://logging.apache.org/log4j/1.2/ ) has this one from 2019 listed (CVE-2019-17571) and states that users are urged to upgrade as the issue will not be fixed. It hasn't been supported since 2015, there is no reasonable explanation for why Microsoft is placing it in SQL Express 2019 unless they want to pick up support for it. This is like throwing Flash on Windows 12 in 2025.
We run many MS SQL Server installations and the results i get from various scanners are the same. The .jar files are present on our systems.
I can understand that the use of these .jar files in an application makes the system vulnerable.
What i do not know is wether the presense of those files is also a vulnerability. Would it be possible for a malware to utilize these files even if they are not currently used?
What would be the best mitigation ? Delete the files from the system?