SQL Server 2017 - Log4J found within Commons-logging Extension

Sean 21 Reputation points
2021-12-15T15:22:55.097+00:00

Hi,

With recent issues regarding the Log4j Exploit. I've done some digging around Microsoft SQL Server 2017.

I've noticed within the Common Jars folder on there's a commons-logging-1.1.3jar that contains Log4JLogger.class.
Also within the commons-configuration folder there's a JNDIConfiguration.class file.

Our third party provider has stated that this isn't an extension of their product.

My concern is that this is related the latest Log4j exploit.

Does this mean SQL Server 2017 is vulnerable?

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,670 questions
0 comments No comments
{count} votes

Accepted answer
  1. Leon Laude 85,781 Reputation points
    2021-12-15T16:38:27.027+00:00

    Hi @Sean ,

    Microsoft products do not by default ship or use Log4J, which means they are not directly vulnerable.

    The Log4J vulnerability concerns the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

    Note: Only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

    Reference:
    https://logging.apache.org/log4j/2.x/security.html

    ----------

    If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!

    Best regards,
    Leon

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. bruce musgrove 1 Reputation point
    2021-12-16T15:30:40.56+00:00

    Unfortunately it does. My default install of Sql Server 2019 installed a unpatched version of the file in question at C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar


  2. Tom Phillips 17,731 Reputation points
    2021-12-16T19:42:50.337+00:00

    SSIS ships with DRIVERS to connect to log4j sources. The drivers do NOT contain the product vulnerability.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.