How to Update Log4j 1.x Used by Microsoft Integration Runtime

Diana Marie Jorillo 1 Reputation point
2022-01-13T08:06:43.923+00:00

Hello,

May I know if Microsoft has released instructions on how to update the Log4j 1.2.17.jar file used by Microsoft Integration Runtime (MIR)?

I understand that there's a blog post released saying 1.x is not included in the vulnerability, therefore it can be ignored for now, however we keep on getting flagged by our organization because it is outdated. We have auto-update enabled for MIR and it tells us that it is up-to-date.

Thank you.

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
38,709 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. KarishmaTiwari-MSFT 19,872 Reputation points Microsoft Employee
    2022-01-13T09:00:03.487+00:00

    I understand that you are having concerns using Log4j.jar version 1.x, which reached the end of support lifecycle for Apache.

    Can you please let me know in which service you are using Microsoft integration runtime ? Are you using Azure data factory or synapse or it’s related to AAD feature ?
    Based on that, I can provide you with specific information on it.
    For example, the standard images for Azure windows VMs with windows 2016 and 2019 doesn't have Microsoft integration runtime installed by default, this integration runtime is installed when you connect the OS to Azure data factory instances or Synapse, or when installing Microsoft SQL etc.

    If your query is related to Azure data factory; currently, despite the fact that the version is out of lifecycle, since it is a stable version and not vulnerable, we don't consider a change or upgrade. Please do let us know if you encounter any issues with the tool using the library.

    Let us know if you have any further questions or concerns.

    1 person found this answer helpful.

  2. Evans, James W 1 Reputation point
    2022-01-24T18:46:15.263+00:00

    @Diana Marie Jorillo - I'm following this thread and hoping to hear a reply to prior questions. Is there an upgrade to MIR to handle log4j?


  3. Diana Marie Jorillo 1 Reputation point
    2022-02-04T11:23:09.43+00:00

    Hi everyone, after much digging we found a solution by Apache to migrate Log4j 1.x files to Log4j 2.x. I'm sharing the link here: Migrating from Log4j 1.x to 2.x

    There are two options:

    1. Option 1: use the Log4j 1.x bridge (log4j-1.2-api) - doesn't require changes to the application code
    2. Option 2: convert your application to the Log4j 2 API (log4j-api) - requires code changes

    We went with Option 1 because we obviously cannot access Microsoft Integration Runtime's code. Did some tests with our resources in ADF (pipelines, linked services) that used MIR and I'm happy to report that nothing was broken after testing.

    Hope this helps!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.