Share via

C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\Windows show log4j file in the system.

mithun Bindoriya 1 Reputation point
2021-12-27T13:27:22.463+00:00

Hi

i m using MS sql 2017 in my organization recently we scan the system with the log4j scanner and we found some of the vulnerable file in sql.
those are

Source: Manifest Vendor: Unknown, Manifest Version: Unknown, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\cloudera5_polybase.jar

log4j 1.2.17

Source: Manifest Vendor: Unknown, Manifest Version: Unknown, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\cloudera_polybase.jar

log4j 1.2.17

Source: Manifest Vendor: Unknown, Manifest Version: Unknown, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\hortonworks2_2_polybase.jar

log4j 1.2.17

Source: Manifest Vendor: Unknown, Manifest Version: Unknown, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\hortonworks2_polybase.jar

log4j 1.2.17

Source: Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.17, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\polybase.jar!log4j-1.2.17.jar

log4j 1.2.17

Source: Manifest Vendor: Unknown, Manifest Version: Unknown, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\polybase.jar

log4j 1.2.17

Source: Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.17, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.17
Path=C:\Program Files\Microsoft SQL Server\MSSQL14.SQLSERVER2017\MSSQL\Binn\Polybase\Hadoop\Windows\log4j-1.2.17.jar
log4j 1.2.17

All are available in the Polybase library

Regards
Mithun

SQL Server | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmeliaGu-MSFT 14,011 Reputation points Microsoft External Staff
    2021-12-28T02:48:14.153+00:00

    Hi mithunBindoriya-6022,

    Thank you so much for bringing this issue to our attention.
    Microsoft is currently evaluating the presence of older versions of log4j shipped with some of the product components. While these files are not impacted by the vulnerabilities in CVE-2021-44228 or CVE-2021-4104, the respective engineering teams are assessing their use of these files to determine their long-term plans to address the end of life for Log4J 1.2.

    For the most up to date information on the issue status, please refer to the MSRC Advisory and Microsoft Security Threat Intelligence sites.

    Best Regards,
    Amelia

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.